@crossauth/sveltekit 0.0.20 → 0.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/dist/index.cjs +1 -1
  2. package/dist/index.d.ts +1 -1
  3. package/dist/index.js +863 -849
  4. package/dist/sveltekitadminclientendpoints.d.ts +16 -17
  5. package/dist/sveltekitadminendpoints.d.ts +20 -21
  6. package/dist/sveltekitapikey.d.ts +3 -3
  7. package/dist/sveltekitoauthclient.d.ts +13 -14
  8. package/dist/sveltekitoauthserver.d.ts +14 -14
  9. package/dist/sveltekitresserver.d.ts +4 -5
  10. package/dist/sveltekitserver.d.ts +8 -8
  11. package/dist/sveltekitsession.d.ts +20 -5
  12. package/dist/sveltekitsessionadapter.d.ts +3 -2
  13. package/dist/sveltekitsharedclientendpoints.d.ts +7 -8
  14. package/dist/sveltekituserclientendpoints.d.ts +16 -17
  15. package/dist/sveltekituserendpoints.d.ts +36 -37
  16. package/dist/tests/sveltekitoauthclient.test.d.ts +6 -6
  17. package/dist/tests/sveltekitoauthresserver.test.d.ts +5 -5
  18. package/dist/tests/sveltemocks.d.ts +3 -2
  19. package/dist/tests/testshared.d.ts +8 -8
  20. package/dist/utils.d.ts +2 -1
  21. package/package.json +4 -4
package/dist/index.js CHANGED
@@ -1,9 +1,9 @@
1
- import { minimatch as P } from "minimatch";
2
- import { ApiKeyManager as M, KeyStorage as X, toCookieSerializeOptions as R, Crypto as A, OAuthAuthorizationServer as Z, setParameter as y, ParamType as _, DoubleSubmitCsrfToken as ee, OAuthClientManager as x, OAuthClientBackend as re, OAuthResourceServer as se, OAuthTokenConsumer as te, TokenEmailer as oe, SessionManager as ie } from "@crossauth/backend";
3
- import { CrossauthError as c, ErrorCode as h, CrossauthLogger as d, j as u, OAuthFlows as E, UserState as I, httpStatus as q } from "@crossauth/common";
1
+ import { minimatch as I } from "minimatch";
2
+ import { ApiKeyManager as K, KeyStorage as $, toCookieSerializeOptions as P, Crypto as F, OAuthAuthorizationServer as Z, setParameter as y, ParamType as E, DoubleSubmitCsrfToken as ee, OAuthClientManager as B, OAuthClientBackend as re, OAuthResourceServer as se, OAuthTokenConsumer as te, TokenEmailer as oe, SessionManager as ie } from "@crossauth/backend";
3
+ import { CrossauthError as c, ErrorCode as h, CrossauthLogger as d, j as u, OAuthFlows as _, UserState as N, httpStatus as q } from "@crossauth/common";
4
4
  import { json as v, redirect as Q, error as Y } from "@sveltejs/kit";
5
5
  import "cookie";
6
- import { jwtDecode as K } from "jwt-decode";
6
+ import { jwtDecode as M } from "jwt-decode";
7
7
  import ae from "qrcode";
8
8
  class V {
9
9
  constructor(r) {
@@ -26,11 +26,11 @@ class b {
26
26
  this.clone = r;
27
27
  }
28
28
  async loadData(r) {
29
- var t, e, s, a;
29
+ var t, e, s, i;
30
30
  if (!((t = r.request) != null && t.body))
31
31
  return;
32
32
  const o = r.request.headers.get("content-type");
33
- o == "application/json" ? this.jsonData = this.clone ? await ((s = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : s.json()) : await ((a = r.request) == null ? void 0 : a.json()) : (o == "application/x-www-form-urlencoded" || o != null && o.startsWith("multipart/form-data")) && (this.formData = this.clone ? await r.request.clone().formData() : await r.request.formData());
33
+ o == "application/json" ? this.jsonData = this.clone ? await ((s = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : s.json()) : await ((i = r.request) == null ? void 0 : i.json()) : (o == "application/x-www-form-urlencoded" || o != null && o.startsWith("multipart/form-data")) && (this.formData = this.clone ? await r.request.clone().formData() : await r.request.formData());
34
34
  }
35
35
  get(r) {
36
36
  if (this.jsonData) return this.jsonData[r];
@@ -84,7 +84,7 @@ class ne {
84
84
  * @param options See {@link SvelteKitApiKeyServerOptions}
85
85
  */
86
86
  constructor(r, o, t = {}) {
87
- this.userStorage = r, this.apiKeyManager = new M(o, t), this.hook = async ({ event: e }) => {
87
+ this.userStorage = r, this.apiKeyManager = new K(o, t), this.hook = async ({ event: e }) => {
88
88
  d.logger.debug("APIKey hook");
89
89
  const s = e.request.headers.get("authorization");
90
90
  if (s)
@@ -92,29 +92,29 @@ class ne {
92
92
  d.logger.debug(u({
93
93
  msg: "Received authorization header"
94
94
  }));
95
- const a = await this.apiKeyManager.validateToken(
95
+ const i = await this.apiKeyManager.validateToken(
96
96
  s
97
97
  );
98
98
  d.logger.debug(u({
99
99
  msg: "Valid API key",
100
- hahedApiKey: M.hashSignedApiKeyValue(a.value)
100
+ hahedApiKey: K.hashSignedApiKeyValue(i.value)
101
101
  }));
102
- const i = X.decodeData(a.data);
103
- if (e.locals.apiKey = { ...a, ...i }, "scope" in i && Array.isArray(i.scope)) {
102
+ const a = $.decodeData(i.data);
103
+ if (e.locals.apiKey = { ...i, ...a }, "scope" in a && Array.isArray(a.scope)) {
104
104
  let n = [];
105
- for (let l of i.scope)
105
+ for (let l of a.scope)
106
106
  typeof l == "string" && n.push(l);
107
107
  e.locals.scope = n;
108
108
  }
109
- if (a.userid)
109
+ if (i.userid)
110
110
  try {
111
- const { user: n } = await this.userStorage.getUserById(a.userid);
112
- e.locals.user = n, e.locals.authType = "apiKey", d.logger.debug(u({ msg: "API key is for user", userid: n.id, user: n.username, hahedApiKey: M.hashSignedApiKeyValue(a.value) }));
111
+ const { user: n } = await this.userStorage.getUserById(i.userid);
112
+ e.locals.user = n, e.locals.authType = "apiKey", d.logger.debug(u({ msg: "API key is for user", userid: n.id, user: n.username, hahedApiKey: K.hashSignedApiKeyValue(i.value) }));
113
113
  } catch (n) {
114
- d.logger.error(u({ msg: "API key has invalid user", userid: a.userid, hashedApiKey: M.hashSignedApiKeyValue(a.value) })), d.logger.debug(u({ err: n }));
114
+ d.logger.error(u({ msg: "API key has invalid user", userid: i.userid, hashedApiKey: K.hashSignedApiKeyValue(i.value) })), d.logger.debug(u({ err: n }));
115
115
  }
116
- } catch (a) {
117
- d.logger.error(u({ msg: "Invalid authorization header received", header: s })), d.logger.debug(u({ err: a }));
116
+ } catch (i) {
117
+ d.logger.error(u({ msg: "Invalid authorization header received", header: s })), d.logger.debug(u({ err: i }));
118
118
  }
119
119
  };
120
120
  }
@@ -130,9 +130,9 @@ class ce {
130
130
  * @param options see {@link SvelteKitAuthorizationServerOptions}
131
131
  */
132
132
  constructor(r, o, t, e, s = {}) {
133
- var a;
133
+ var i;
134
134
  this.loginUrl = "/login", this.refreshTokenType = "json", this.refreshTokenCookieName = "CROSSAUTH_REFRESH_TOKEN", this.refreshTokenCookieDomain = void 0, this.refreshTokenCookieHttpOnly = !1, this.refreshTokenCookiePath = "/", this.refreshTokenCookieSecure = !0, this.refreshTokenCookieSameSite = "strict", this.authorizeEndpointUrl = "/oauth/authorize", this.tokenEndpointUrl = "/oauth/token", this.jwksEndpointUrl = "/oauth/jwks", this.oidcConfigurationEndpoint = {
135
- get: async (i) => v(this.authServer.oidcConfiguration(
135
+ get: async (a) => v(this.authServer.oidcConfiguration(
136
136
  {
137
137
  authorizeEndpoint: this.authorizeEndpointUrl,
138
138
  tokenEndpoint: this.tokenEndpointUrl,
@@ -141,7 +141,7 @@ class ce {
141
141
  }
142
142
  ))
143
143
  }, this.jwksGetEndpoint = {
144
- get: async (i) => {
144
+ get: async (a) => {
145
145
  try {
146
146
  return v(this.authServer.jwks());
147
147
  } catch (n) {
@@ -153,7 +153,7 @@ class ce {
153
153
  }
154
154
  }
155
155
  }, this.getCsrfTokenEndpoint = {
156
- get: async (i) => {
156
+ get: async (a) => {
157
157
  var l;
158
158
  if (!this.csrfTokens) return v({
159
159
  ok: !1,
@@ -166,17 +166,17 @@ class ce {
166
166
  csrfCookie: f,
167
167
  csrfFormOrHeaderValue: g
168
168
  } = await this.createCsrfToken();
169
- return n = f.value, i.cookies.set(
169
+ return n = f.value, a.cookies.set(
170
170
  f.name,
171
171
  f.value,
172
- R(f.options)
172
+ P(f.options)
173
173
  ), v({ ok: !0, csrfToken: g });
174
174
  } catch (f) {
175
175
  const g = c.asCrossauthError(f);
176
176
  return d.logger.error(u({
177
177
  msg: "getcsrftoken failure",
178
- user: (l = i.locals.user) == null ? void 0 : l.username,
179
- hashedCsrfCookie: A.hash(n.split(".")[0]),
178
+ user: (l = a.locals.user) == null ? void 0 : l.username,
179
+ hashedCsrfCookie: F.hash(n.split(".")[0]),
180
180
  error: g.code,
181
181
  errorCodeName: g.codeName
182
182
  })), d.logger.debug(u({ err: f })), d.logger.error({ cerr: f }), v({
@@ -187,15 +187,15 @@ class ce {
187
187
  }
188
188
  }
189
189
  }, this.authorizeEndpoint = {
190
- load: async (i) => {
191
- var w, S;
192
- if (!(this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode)))
190
+ load: async (a) => {
191
+ var m, S;
192
+ if (!(this.authServer.validFlows.includes(_.AuthorizationCode) || this.authServer.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(_.OidcAuthorizationCode)))
193
193
  throw this.error(401, "authorize cannot be called because the authorization code flows are not supported");
194
- if (!i.locals.user) return this.redirect(
194
+ if (!a.locals.user) return this.redirect(
195
195
  302,
196
- this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
196
+ this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
197
197
  );
198
- let n = this.getAuthorizeQuery(i);
198
+ let n = this.getAuthorizeQuery(a);
199
199
  if (!n.query) return n.error;
200
200
  let l = n.query;
201
201
  d.logger.debug(u({ msg: "validating authorize parameters" }));
@@ -203,34 +203,34 @@ class ce {
203
203
  if (f ? (g = new c(h.BadRequest, f), d.logger.error(u({
204
204
  msg: "authorize parameter invalid",
205
205
  cerr: g,
206
- user: (w = i.locals.user) == null ? void 0 : w.username
206
+ user: (m = a.locals.user) == null ? void 0 : m.username
207
207
  }))) : d.logger.error(u({
208
208
  msg: "authorize parameter valid",
209
- user: (S = i.locals.user) == null ? void 0 : S.username
209
+ user: (S = a.locals.user) == null ? void 0 : S.username
210
210
  })), g)
211
211
  return {
212
212
  ok: !1,
213
213
  error: g.oauthErrorCode,
214
214
  error_description: g.message
215
215
  };
216
- let m = !1;
216
+ let w = !1;
217
217
  if (d.logger.debug(u({
218
218
  msg: "Checking scopes have been authorized",
219
219
  scope: l.scope
220
- })), l.scope ? m = await this.authServer.hasAllScopes(
220
+ })), l.scope ? w = await this.authServer.hasAllScopes(
221
221
  l.client_id,
222
- i.locals.user,
222
+ a.locals.user,
223
223
  l.scope.split(" ")
224
- ) : m = await this.authServer.hasAllScopes(
224
+ ) : w = await this.authServer.hasAllScopes(
225
225
  l.client_id,
226
- i.locals.user,
226
+ a.locals.user,
227
227
  [null]
228
- ), m) {
228
+ ), w) {
229
229
  d.logger.debug(u({
230
230
  msg: "All scopes authorized",
231
231
  scope: l.scope
232
232
  }));
233
- const C = await this.authorize(i, !0, {
233
+ const C = await this.authorize(a, !0, {
234
234
  responseType: l.response_type,
235
235
  client_id: l.client_id,
236
236
  redirect_uri: l.redirect_uri,
@@ -254,7 +254,7 @@ class ce {
254
254
  return {
255
255
  ok: !0,
256
256
  authorizationNeeded: {
257
- user: i.locals.user,
257
+ user: a.locals.user,
258
258
  response_type: l.response_type,
259
259
  client_id: l.client_id,
260
260
  client_name: C.client_name,
@@ -264,7 +264,7 @@ class ce {
264
264
  state: l.state,
265
265
  code_challenge: l.code_challenge,
266
266
  code_challenge_method: l.code_challenge_method,
267
- csrfToken: i.locals.csrfToken
267
+ csrfToken: a.locals.csrfToken
268
268
  },
269
269
  ...this.baseEndpoint
270
270
  };
@@ -280,33 +280,33 @@ class ce {
280
280
  },
281
281
  // load
282
282
  actions: {
283
- default: async (i) => {
283
+ default: async (a) => {
284
284
  var f;
285
285
  let n;
286
286
  try {
287
287
  var l = new b();
288
- await l.loadData(i), n = l.toObject();
289
- const g = l.getAsBoolean("authorized"), m = n.response_type, w = n.client_id, S = n.redirect_uri, C = n.scope, T = n.state, N = n.code_challenge, F = n.code_challenge_method;
288
+ await l.loadData(a), n = l.toObject();
289
+ const g = l.getAsBoolean("authorized"), w = n.response_type, m = n.client_id, S = n.redirect_uri, C = n.scope, T = n.state, R = n.code_challenge, A = n.code_challenge_method;
290
290
  let U;
291
- if (g == null && (U = "authorized"), m ? w ? S ? T || (U = "state") : U = "redirect_uri" : U = "client_id" : U = "response_type", U)
291
+ if (g == null && (U = "authorized"), w ? m ? S ? T || (U = "state") : U = "redirect_uri" : U = "client_id" : U = "response_type", U)
292
292
  return {
293
293
  ok: !1,
294
294
  error: "invalid_request",
295
295
  error_description: "Invalid form: does not contain " + U + " parameter"
296
296
  };
297
- if (!i.locals.user) return this.redirect(
297
+ if (!a.locals.user) return this.redirect(
298
298
  302,
299
- this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
299
+ this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
300
300
  );
301
- if ((f = this.svelteKitServer.sessionServer) != null && f.enableCsrfProtection && !i.locals.csrfToken) throw new c(h.InvalidCsrf);
302
- const z = await this.authorize(i, g ?? !1, {
303
- responseType: m,
304
- client_id: w,
301
+ if ((f = this.svelteKitServer.sessionServer) != null && f.enableCsrfProtection && !a.locals.csrfToken) throw new c(h.InvalidCsrf);
302
+ const z = await this.authorize(a, g ?? !1, {
303
+ responseType: w,
304
+ client_id: m,
305
305
  redirect_uri: S,
306
306
  scope: C,
307
307
  state: T,
308
- codeChallenge: N,
309
- codeChallengeMethod: F
308
+ codeChallenge: R,
309
+ codeChallengeMethod: A
310
310
  });
311
311
  return {
312
312
  ok: !1,
@@ -315,10 +315,10 @@ class ce {
315
315
  };
316
316
  } catch (g) {
317
317
  if (p.isSvelteKitError(g) || p.isSvelteKitRedirect(g)) throw g;
318
- let m = c.asCrossauthError(g, "Couldn't process authorization code");
318
+ let w = c.asCrossauthError(g, "Couldn't process authorization code");
319
319
  return {
320
- error: m.oauthErrorCode,
321
- error_description: m.message,
320
+ error: w.oauthErrorCode,
321
+ error_description: w.message,
322
322
  ok: !1,
323
323
  formData: n
324
324
  };
@@ -326,22 +326,22 @@ class ce {
326
326
  }
327
327
  }
328
328
  }, this.tokenEndpoint = {
329
- post: async (i) => {
329
+ post: async (a) => {
330
330
  let n;
331
331
  try {
332
- if (!(this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode) || this.authServer.validFlows.includes(E.ClientCredentials) || this.authServer.validFlows.includes(E.RefreshToken) || this.authServer.validFlows.includes(E.Password) || this.authServer.validFlows.includes(E.PasswordMfa || this.authServer.validFlows.includes(E.DeviceCode))))
332
+ if (!(this.authServer.validFlows.includes(_.AuthorizationCode) || this.authServer.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(_.OidcAuthorizationCode) || this.authServer.validFlows.includes(_.ClientCredentials) || this.authServer.validFlows.includes(_.RefreshToken) || this.authServer.validFlows.includes(_.Password) || this.authServer.validFlows.includes(_.PasswordMfa || this.authServer.validFlows.includes(_.DeviceCode))))
333
333
  return v({
334
334
  ok: !1,
335
335
  error: "invalid_request",
336
336
  error_description: "Token endpoint cannot be called as the supported OAuth flow types don't require it"
337
337
  }, { status: 500 });
338
338
  var l = new b();
339
- await l.loadData(i), n = l.toObject();
340
- const { client_id: f, client_secret: g } = this.getClientIdAndSecret(n, i);
341
- let m = n.refresh_token, w = i.cookies.get(this.refreshTokenCookieName);
342
- if ((this.refreshTokenType == "cookie" && w || this.refreshTokenType == "both" && w && m == null) && this.csrfTokens) {
343
- const C = i.cookies.get(this.csrfTokens.cookieName);
344
- let T = i.request.headers.get(this.csrfTokens.headerName.toLowerCase());
339
+ await l.loadData(a), n = l.toObject();
340
+ const { client_id: f, client_secret: g } = this.getClientIdAndSecret(n, a);
341
+ let w = n.refresh_token, m = a.cookies.get(this.refreshTokenCookieName);
342
+ if ((this.refreshTokenType == "cookie" && m || this.refreshTokenType == "both" && m && w == null) && this.csrfTokens) {
343
+ const C = a.cookies.get(this.csrfTokens.cookieName);
344
+ let T = a.request.headers.get(this.csrfTokens.headerName.toLowerCase());
345
345
  if (Array.isArray(T) && (T = T[0]), !C || !T)
346
346
  return v({
347
347
  ok: !1,
@@ -350,14 +350,14 @@ class ce {
350
350
  }, { status: 401 });
351
351
  try {
352
352
  this.csrfTokens.validateDoubleSubmitCsrfToken(C, T);
353
- } catch (N) {
354
- return d.logger.debug(u({ err: N })), d.logger.warn(u({ cerr: N, msg: "Invalid csrf token", client_id: n.client_id })), v({
353
+ } catch (R) {
354
+ return d.logger.debug(u({ err: R })), d.logger.warn(u({ cerr: R, msg: "Invalid csrf token", client_id: n.client_id })), v({
355
355
  ok: !1,
356
356
  error: "access_denied",
357
357
  error_description: "Invalid csrf token"
358
358
  }, { status: 401 });
359
359
  }
360
- m = w;
360
+ w = m;
361
361
  }
362
362
  const S = await this.authServer.tokenEndpoint({
363
363
  grantType: n.grant_type,
@@ -372,16 +372,16 @@ class ce {
372
372
  oobCode: n.oob_code,
373
373
  bindingCode: n.binding_code,
374
374
  otp: n.otp,
375
- refreshToken: m,
375
+ refreshToken: w,
376
376
  deviceCode: n.device_code
377
377
  });
378
- if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(i, S.refresh_token, S.expires_in), S.error == "authorization_pending")
378
+ if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(a, S.refresh_token, S.expires_in), S.error == "authorization_pending")
379
379
  return v(S);
380
380
  if (S.error || !S.access_token) {
381
381
  let C = "server_error", T = "Neither code nor error received when requestoing authorization";
382
382
  S.error && (C = S.error), S.error_description && (T = S.error_description);
383
- const N = c.fromOAuthError(C, T);
384
- return d.logger.error(u({ cerr: N })), v(S, { status: N.httpStatus });
383
+ const R = c.fromOAuthError(C, T);
384
+ return d.logger.error(u({ cerr: R })), v(S, { status: R.httpStatus });
385
385
  }
386
386
  return v(S);
387
387
  } catch (f) {
@@ -393,10 +393,10 @@ class ce {
393
393
  }
394
394
  }
395
395
  }, this.mfaAuthenticatorsEndpoint = {
396
- get: async (i) => {
396
+ get: async (a) => {
397
397
  try {
398
398
  var n = new b();
399
- return await n.loadData(i), v(await this.mfaAuthenticators(i));
399
+ return await n.loadData(a), v(await this.mfaAuthenticators(a));
400
400
  } catch (l) {
401
401
  const f = c.asCrossauthError(l);
402
402
  return d.logger.debug({ err: l }), d.logger.error({ cerr: l }), v({
@@ -405,11 +405,11 @@ class ce {
405
405
  });
406
406
  }
407
407
  },
408
- post: async (i) => {
408
+ post: async (a) => {
409
409
  try {
410
410
  var n = new b();
411
- await n.loadData(i);
412
- let l = await this.mfaAuthenticators(i), f = 200;
411
+ await n.loadData(a);
412
+ let l = await this.mfaAuthenticators(a), f = 200;
413
413
  return !Array.isArray(l) && l.error == "access_denied" ? f = 401 : !Array.isArray(l) && l.error && (f = 500), v(l, { status: f });
414
414
  } catch (l) {
415
415
  const f = c.asCrossauthError(l);
@@ -420,11 +420,11 @@ class ce {
420
420
  }
421
421
  }
422
422
  }, this.mfaChallengeEndpoint = {
423
- post: async (i) => {
423
+ post: async (a) => {
424
424
  try {
425
425
  var n = new b();
426
- await n.loadData(i);
427
- const l = await this.mfaChallenge(i);
426
+ await n.loadData(a);
427
+ const l = await this.mfaChallenge(a);
428
428
  let f = 200;
429
429
  return l.error == "access_denied" ? f = 401 : l.error && (f = 500), v(l, { status: f });
430
430
  } catch (l) {
@@ -436,35 +436,35 @@ class ce {
436
436
  }
437
437
  }
438
438
  }, this.deviceAuthorizationEndpoint = {
439
- post: async (i) => {
439
+ post: async (a) => {
440
440
  let n;
441
441
  try {
442
- if (!this.authServer.validFlows.includes(E.DeviceCode))
442
+ if (!this.authServer.validFlows.includes(_.DeviceCode))
443
443
  return v({
444
444
  ok: !1,
445
445
  error: "invalid_request",
446
446
  error_description: "Device authorization endpoint cannot be called as the supported OAuth flow types don't require it"
447
447
  });
448
448
  var l = new b();
449
- await l.loadData(i), n = l.toObject();
450
- const { client_id: f, client_secret: g } = this.getClientIdAndSecret(n, i), m = await this.authServer.deviceAuthorizationEndpoint({
449
+ await l.loadData(a), n = l.toObject();
450
+ const { client_id: f, client_secret: g } = this.getClientIdAndSecret(n, a), w = await this.authServer.deviceAuthorizationEndpoint({
451
451
  client_id: f,
452
452
  client_secret: g,
453
453
  scope: n.scope
454
454
  });
455
- if (m.error) {
456
- const w = c.fromOAuthError(m.error, m.error_description);
457
- return d.logger.error(u({ cerr: w })), v(m, { status: 500 });
455
+ if (w.error) {
456
+ const m = c.fromOAuthError(w.error, w.error_description);
457
+ return d.logger.error(u({ cerr: m })), v(w, { status: 500 });
458
458
  }
459
- if (!m.device_code || !m.user_code || !m.verification_uri || !m.verification_uri_complete || !m.expires_in) {
460
- let w = "server_error", S = "Device authorization result has missing data";
459
+ if (!w.device_code || !w.user_code || !w.verification_uri || !w.verification_uri_complete || !w.expires_in) {
460
+ let m = "server_error", S = "Device authorization result has missing data";
461
461
  const C = new c(h.UnknownError, S);
462
462
  return d.logger.error(u({ cerr: C })), v({
463
- error: w,
463
+ error: m,
464
464
  error_description: S
465
465
  }, { status: 500 });
466
466
  }
467
- return v(m);
467
+ return v(w);
468
468
  } catch (f) {
469
469
  const g = c.asCrossauthError(f);
470
470
  return d.logger.debug({ err: f }), d.logger.error({ cerr: f }), v({
@@ -474,31 +474,31 @@ class ce {
474
474
  }
475
475
  }
476
476
  }, this.deviceEndpoint = {
477
- load: async (i) => {
478
- if (!this.authServer.validFlows.includes(E.DeviceCode))
477
+ load: async (a) => {
478
+ if (!this.authServer.validFlows.includes(_.DeviceCode))
479
479
  throw this.error(401, "device cannot be called because the device code flow is not supported");
480
- if (!i.locals.user) return this.redirect(
480
+ if (!a.locals.user) return this.redirect(
481
481
  302,
482
- this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
482
+ this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
483
483
  );
484
- let n = i.url.searchParams.get("user_code");
485
- return n ? await this.applyUserCode(n, i, i.locals.user) : {
484
+ let n = a.url.searchParams.get("user_code");
485
+ return n ? await this.applyUserCode(n, a, a.locals.user) : {
486
486
  ok: !0,
487
487
  completed: !1,
488
488
  retryAllowed: !0,
489
- user: i.locals.user,
490
- csrfToken: i.locals.csrfToken
489
+ user: a.locals.user,
490
+ csrfToken: a.locals.csrfToken
491
491
  };
492
492
  },
493
493
  // load
494
494
  actions: {
495
- userCode: async (i) => {
496
- if (!i.locals.user) throw this.error(401, "Access Denied");
495
+ userCode: async (a) => {
496
+ if (!a.locals.user) throw this.error(401, "Access Denied");
497
497
  try {
498
498
  var n = new b();
499
- await n.loadData(i);
499
+ await n.loadData(a);
500
500
  const l = n.get("user_code");
501
- return l ? await this.applyUserCode(l, i, i.locals.user) : {
501
+ return l ? await this.applyUserCode(l, a, a.locals.user) : {
502
502
  ok: !1,
503
503
  completed: !1,
504
504
  retryAllowed: !0,
@@ -517,15 +517,15 @@ class ce {
517
517
  };
518
518
  }
519
519
  },
520
- authorize: async (i) => {
520
+ authorize: async (a) => {
521
521
  var f;
522
522
  let n;
523
523
  try {
524
524
  var l = new b();
525
- await l.loadData(i), n = l.toObject();
526
- const g = l.getAsBoolean("authorized"), m = n.scope, w = n.client_id, S = n.user_code;
525
+ await l.loadData(a), n = l.toObject();
526
+ const g = l.getAsBoolean("authorized"), w = n.scope, m = n.client_id, S = n.user_code;
527
527
  let C;
528
- if (g == null && (C = "authorized"), w == null && (C = "client_id"), S == null && (C = "user_code"), C)
528
+ if (g == null && (C = "authorized"), m == null && (C = "client_id"), S == null && (C = "user_code"), C)
529
529
  return {
530
530
  ok: !1,
531
531
  completed: !1,
@@ -533,24 +533,24 @@ class ce {
533
533
  error: "invalid_request",
534
534
  error_description: "Invalid form: does not contain " + C + " parameter"
535
535
  };
536
- if (!i.locals.user) return this.redirect(
536
+ if (!a.locals.user) return this.redirect(
537
537
  302,
538
- this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
538
+ this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
539
539
  );
540
- if ((f = this.svelteKitServer.sessionServer) != null && f.enableCsrfProtection && !i.locals.csrfToken) throw new c(h.InvalidCsrf);
541
- return (await this.authServer.validateAndPersistScope(w, m, i.locals.user)).error ? {
540
+ if ((f = this.svelteKitServer.sessionServer) != null && f.enableCsrfProtection && !a.locals.csrfToken) throw new c(h.InvalidCsrf);
541
+ return (await this.authServer.validateAndPersistScope(m, w, a.locals.user)).error ? {
542
542
  ok: !1,
543
543
  completed: !1,
544
544
  retryAllowed: !1,
545
545
  error: "unauthorized_client",
546
546
  error_description: "You did not authorize access to your account"
547
- } : await this.applyUserCode(S, i, i.locals.user);
547
+ } : await this.applyUserCode(S, a, a.locals.user);
548
548
  } catch (g) {
549
549
  if (p.isSvelteKitError(g) || p.isSvelteKitRedirect(g)) throw g;
550
- let m = c.asCrossauthError(g, "Couldn't process authorization code");
550
+ let w = c.asCrossauthError(g, "Couldn't process authorization code");
551
551
  return {
552
- error: m.oauthErrorCode,
553
- error_description: m.message,
552
+ error: w.oauthErrorCode,
553
+ error_description: w.message,
554
554
  ok: !1,
555
555
  completed: !1,
556
556
  retryAllowed: !1
@@ -563,7 +563,7 @@ class ce {
563
563
  t,
564
564
  e,
565
565
  s
566
- ), y("loginUrl", _.String, this, s, "LOGIN_URL"), y("refreshTokenType", _.String, this, s, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", _.Boolean, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", _.Boolean, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", _.String, this, s, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", _.String, this, s, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", _.String, this, s, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((a = this.svelteKitServer.sessionServer) == null ? void 0 : a.enableCsrfProtection) == !0 ? this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens : this.csrfTokens = new ee(s.doubleSubmitCookieOptions));
566
+ ), y("loginUrl", E.String, this, s, "LOGIN_URL"), y("refreshTokenType", E.String, this, s, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", E.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", E.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", E.Boolean, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", E.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", E.Boolean, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", E.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", E.String, this, s, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", E.String, this, s, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", E.String, this, s, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((i = this.svelteKitServer.sessionServer) == null ? void 0 : i.enableCsrfProtection) == !0 ? this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens : this.csrfTokens = new ee(s.doubleSubmitCookieOptions));
567
567
  }
568
568
  /**
569
569
  * Returns this server's OIDC configuration. Just wraps
@@ -585,24 +585,24 @@ class ce {
585
585
  responseType: t,
586
586
  client_id: e,
587
587
  redirect_uri: s,
588
- scope: a,
589
- state: i,
588
+ scope: i,
589
+ state: a,
590
590
  codeChallenge: n,
591
591
  codeChallengeMethod: l
592
592
  }) {
593
- let f, g, m;
593
+ let f, g, w;
594
594
  if (o) {
595
- const w = await this.authServer.authorizeGetEndpoint({
595
+ const m = await this.authServer.authorizeGetEndpoint({
596
596
  responseType: t,
597
597
  client_id: e,
598
598
  redirect_uri: s,
599
- scope: a,
600
- state: i,
599
+ scope: i,
600
+ state: a,
601
601
  codeChallenge: n,
602
602
  codeChallengeMethod: l,
603
603
  user: r.locals.user
604
604
  });
605
- if (m = w.code, f = w.error, g = w.error_description, f || !m) {
605
+ if (w = m.code, f = m.error, g = m.error_description, f || !w) {
606
606
  const S = c.fromOAuthError(
607
607
  f ?? "server_error",
608
608
  g ?? "Neither code nor error received"
@@ -615,25 +615,25 @@ class ce {
615
615
  }
616
616
  throw this.redirect(302, this.authServer.redirect_uri(
617
617
  s,
618
- m,
619
- i
618
+ w,
619
+ a
620
620
  ));
621
621
  } else {
622
- const w = new c(
622
+ const m = new c(
623
623
  h.Unauthorized,
624
624
  "You have not granted access"
625
625
  );
626
- d.logger.debug(u({ err: w })), d.logger.error(u({ cerr: w })), d.logger.error(u({
626
+ d.logger.debug(u({ err: m })), d.logger.error(u({ cerr: m })), d.logger.error(u({
627
627
  msg: g,
628
- errorCode: w.code,
629
- errorCodeName: w.codeName
628
+ errorCode: m.code,
629
+ errorCodeName: m.codeName
630
630
  }));
631
631
  try {
632
- throw x.validateUri(s), this.redirect(302, s + "?error=access_denied&error_description=" + encodeURIComponent("Access was not granted"));
632
+ throw B.validateUri(s), this.redirect(302, s + "?error=access_denied&error_description=" + encodeURIComponent("Access was not granted"));
633
633
  } catch (S) {
634
634
  if (p.isSvelteKitError(S) || p.isSvelteKitRedirect(S)) throw S;
635
635
  return d.logger.error(u({
636
- msg: `Couldn't send error message ${w.codeName} to ${s}}`
636
+ msg: `Couldn't send error message ${m.codeName} to ${s}}`
637
637
  })), {
638
638
  ok: !1,
639
639
  error: "server_error",
@@ -690,13 +690,13 @@ class ce {
690
690
  if (o = this.requireGetParam(r, "client_id"), o) return { error: o };
691
691
  if (o = this.requireGetParam(r, "redirect_uri"), o) return { error: o };
692
692
  if (o = this.requireGetParam(r, "state"), o) return { error: o };
693
- const t = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", s = r.url.searchParams.get("redirect_uri") ?? "", a = r.url.searchParams.get("scope") ?? void 0, i = r.url.searchParams.get("state") ?? "", n = r.url.searchParams.get("code_challenge") ?? void 0, l = r.url.searchParams.get("code_challenge_method") ?? void 0;
693
+ const t = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", s = r.url.searchParams.get("redirect_uri") ?? "", i = r.url.searchParams.get("scope") ?? void 0, a = r.url.searchParams.get("state") ?? "", n = r.url.searchParams.get("code_challenge") ?? void 0, l = r.url.searchParams.get("code_challenge_method") ?? void 0;
694
694
  return { query: {
695
695
  response_type: t,
696
696
  client_id: e,
697
697
  redirect_uri: s,
698
- scope: a,
699
- state: i,
698
+ scope: i,
699
+ state: a,
700
700
  code_challenge: n,
701
701
  code_challenge_method: l
702
702
  }, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
@@ -710,18 +710,18 @@ class ce {
710
710
  if (e = this.requireBodyParam(t, "challenge_type"), e) return { error: e };
711
711
  if (e = this.requireBodyParam(t, "mfa_token"), e) return { error: e };
712
712
  if (e = this.requireBodyParam(t, "authenticator_id"), e) return { error: e };
713
- const s = t.client_id ?? "", a = t.challenge_type ?? "", i = t.mfa_token ?? "", n = t.authenticator_id ?? "", l = t.client_secret ?? void 0;
713
+ const s = t.client_id ?? "", i = t.challenge_type ?? "", a = t.mfa_token ?? "", n = t.authenticator_id ?? "", l = t.client_secret ?? void 0;
714
714
  return { query: {
715
715
  client_id: s,
716
716
  client_secret: l,
717
- challenge_type: a,
718
- mfa_token: i,
717
+ challenge_type: i,
718
+ mfa_token: a,
719
719
  authenticator_id: n
720
720
  }, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
721
721
  }
722
722
  async mfaAuthenticators(r) {
723
- var a;
724
- const o = (a = r.request.headers.get("authorization")) == null ? void 0 : a.split(" ");
723
+ var i;
724
+ const o = (i = r.request.headers.get("authorization")) == null ? void 0 : i.split(" ");
725
725
  if (!o || o.length != 2)
726
726
  return {
727
727
  error: "access_denied",
@@ -752,65 +752,65 @@ class ce {
752
752
  let t = r.client_id, e = r.client_secret;
753
753
  const s = o.request.headers.get("authorization");
754
754
  if (s) {
755
- let a, i;
755
+ let i, a;
756
756
  const n = s.split(" ");
757
757
  if (n.length == 2 && n[0].toLocaleLowerCase() == "basic") {
758
- const f = A.base64Decode(n[1]).split(":", 2);
759
- f.length == 2 && (a = f[0], i = f[1]);
758
+ const f = F.base64Decode(n[1]).split(":", 2);
759
+ f.length == 2 && (i = f[0], a = f[1]);
760
760
  }
761
- a == null || i == null ? d.logger.warn(u({
761
+ i == null || a == null ? d.logger.warn(u({
762
762
  msg: "Ignoring malform authenization header " + s
763
- })) : (t = a, e = i);
763
+ })) : (t = i, e = a);
764
764
  }
765
765
  return { client_id: t, client_secret: e };
766
766
  }
767
767
  async applyUserCode(r, o, t) {
768
- var e, s, a;
768
+ var e, s, i;
769
769
  try {
770
- const i = await this.authServer.deviceEndpoint({ userCode: r, user: t });
771
- if (i.error)
770
+ const a = await this.authServer.deviceEndpoint({ userCode: r, user: t });
771
+ if (a.error)
772
772
  return {
773
773
  ok: !1,
774
774
  completed: !1,
775
775
  retryAllowed: !1,
776
- error: i.error,
777
- error_description: i.error_description
776
+ error: a.error,
777
+ error_description: a.error_description
778
778
  };
779
- if (!i.client_id)
780
- return d.logger.error(u({ msg: "No client id found for user code", userCodeHash: A.hash(r), ip: o.request.referrer, username: (e = o.locals.user) == null ? void 0 : e.username })), {
779
+ if (!a.client_id)
780
+ return d.logger.error(u({ msg: "No client id found for user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (e = o.locals.user) == null ? void 0 : e.username })), {
781
781
  ok: !1,
782
782
  completed: !1,
783
783
  retryAllowed: !1,
784
784
  error: "server_error",
785
785
  error_description: "No client id found for user code"
786
786
  };
787
- if (i.error == "access_denied")
788
- return d.logger.error(u({ msg: "Incorrect user code given", userCodeHash: A.hash(r), ip: o.request.referrer, username: (s = o.locals.user) == null ? void 0 : s.username })), this.authServer.userCodeThrottle > 0 && await ((f) => new Promise((g) => setTimeout(g, f)))(this.authServer.userCodeThrottle), {
787
+ if (a.error == "access_denied")
788
+ return d.logger.error(u({ msg: "Incorrect user code given", userCodeHash: F.hash(r), ip: o.request.referrer, username: (s = o.locals.user) == null ? void 0 : s.username })), this.authServer.userCodeThrottle > 0 && await ((f) => new Promise((g) => setTimeout(g, f)))(this.authServer.userCodeThrottle), {
789
789
  ok: !1,
790
790
  completed: !1,
791
791
  retryAllowed: !0,
792
- error: i.error,
793
- error_description: i.error_description
792
+ error: a.error,
793
+ error_description: a.error_description
794
794
  };
795
- if (i.error == "expired_token")
796
- return d.logger.error(u({ msg: "Expired user code", userCodeHash: A.hash(r), ip: o.request.referrer, username: (a = o.locals.user) == null ? void 0 : a.username })), {
795
+ if (a.error == "expired_token")
796
+ return d.logger.error(u({ msg: "Expired user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (i = o.locals.user) == null ? void 0 : i.username })), {
797
797
  ok: !1,
798
798
  completed: !1,
799
799
  retryAllowed: !1,
800
- error: i.error,
801
- error_description: i.error_description
800
+ error: a.error,
801
+ error_description: a.error_description
802
802
  };
803
- const n = await this.clientStorage.getClientById(i.client_id);
804
- return i.scopeAuthorizationNeeded ? {
803
+ const n = await this.clientStorage.getClientById(a.client_id);
804
+ return a.scopeAuthorizationNeeded ? {
805
805
  ok: !0,
806
806
  completed: !1,
807
807
  retryAllowed: !0,
808
808
  authorizationNeeded: {
809
809
  user: t,
810
- client_id: i.client_id,
810
+ client_id: a.client_id,
811
811
  client_name: n.client_name,
812
- scope: i.scope,
813
- scopes: i.scope ? i.scope.split(" ") : [],
812
+ scope: a.scope,
813
+ scopes: a.scope ? a.scope.split(" ") : [],
814
814
  csrfToken: o.locals.csrfToken
815
815
  },
816
816
  user: o.locals.user,
@@ -823,8 +823,8 @@ class ce {
823
823
  user: o.locals.user,
824
824
  csrfToken: o.locals.csrfToken
825
825
  };
826
- } catch (i) {
827
- const n = c.asCrossauthError(i);
826
+ } catch (a) {
827
+ const n = c.asCrossauthError(a);
828
828
  return d.logger.debug(u({ err: n })), d.logger.error(u({ msg: n.message, cerr: n })), {
829
829
  ok: !1,
830
830
  completed: !1,
@@ -870,7 +870,7 @@ function O(k) {
870
870
  let r;
871
871
  if (k)
872
872
  try {
873
- r = JSON.parse(A.base64Decode(k.split(".")[1]));
873
+ r = JSON.parse(F.base64Decode(k.split(".")[1]));
874
874
  } catch {
875
875
  d.logger.error(u({ msg: "Couldn't decode id token" }));
876
876
  }
@@ -885,10 +885,10 @@ function L(k, r) {
885
885
  if (k.access_token)
886
886
  try {
887
887
  if (k.access_token && r.includes("access")) {
888
- const s = (o = K(k.access_token)) == null ? void 0 : o.jti, a = s ? A.hash(s) : void 0;
888
+ const s = (o = M(k.access_token)) == null ? void 0 : o.jti, i = s ? F.hash(s) : void 0;
889
889
  d.logger.debug(u({
890
890
  msg: "Got access token",
891
- accessTokenHash: a
891
+ accessTokenHash: i
892
892
  }));
893
893
  }
894
894
  } catch (s) {
@@ -897,10 +897,10 @@ function L(k, r) {
897
897
  if (k.id_token)
898
898
  try {
899
899
  if (k.id_token && r.includes("id")) {
900
- const s = (t = K(k.id_token)) == null ? void 0 : t.jti, a = s ? A.hash(s) : void 0;
900
+ const s = (t = M(k.id_token)) == null ? void 0 : t.jti, i = s ? F.hash(s) : void 0;
901
901
  d.logger.debug(u({
902
902
  msg: "Got id token",
903
- idTokenHash: a
903
+ idTokenHash: i
904
904
  }));
905
905
  }
906
906
  } catch (s) {
@@ -909,10 +909,10 @@ function L(k, r) {
909
909
  if (k.refresh_token && r.includes("refresh"))
910
910
  try {
911
911
  if (k.refresh_token) {
912
- const s = (e = K(k.refresh_token)) == null ? void 0 : e.jti, a = s ? A.hash(s) : void 0;
912
+ const s = (e = M(k.refresh_token)) == null ? void 0 : e.jti, i = s ? F.hash(s) : void 0;
913
913
  d.logger.debug(u({
914
914
  msg: "Got refresh token",
915
- refreshTokenHash: a
915
+ refreshTokenHash: i
916
916
  }));
917
917
  }
918
918
  } catch (s) {
@@ -920,7 +920,7 @@ function L(k, r) {
920
920
  }
921
921
  }
922
922
  async function j(k, r, o) {
923
- var a, i, n, l;
923
+ var i, a, n, l;
924
924
  if (!r.server.sessionAdapter)
925
925
  throw new c(
926
926
  h.Configuration,
@@ -928,7 +928,7 @@ async function j(k, r, o) {
928
928
  );
929
929
  let t = k.expires_in;
930
930
  if (!t && k.access_token && r.jwtTokens.includes("access")) {
931
- const f = K(k.access_token);
931
+ const f = M(k.access_token);
932
932
  f.exp && (t = f.exp);
933
933
  }
934
934
  if (!t)
@@ -943,12 +943,12 @@ async function j(k, r, o) {
943
943
  f && (s.id_token = f);
944
944
  }
945
945
  if (r.server.sessionServer) {
946
- let f = (a = r.server.sessionServer) == null ? void 0 : a.getSessionCookieValue(o);
946
+ let f = (i = r.server.sessionServer) == null ? void 0 : i.getSessionCookieValue(o);
947
947
  f ? await ((n = r.server.sessionAdapter) == null ? void 0 : n.updateSessionData(
948
948
  o,
949
949
  r.sessionDataName,
950
950
  s
951
- )) : f = await ((i = r.server.sessionServer) == null ? void 0 : i.createAnonymousSession(
951
+ )) : f = await ((a = r.server.sessionServer) == null ? void 0 : a.createAnonymousSession(
952
952
  o,
953
953
  { [r.sessionDataName]: s }
954
954
  ));
@@ -977,8 +977,8 @@ async function de(k, r, o, t, e) {
977
977
  if (!t) return r.redirect(302, r.authorizedUrl);
978
978
  } catch (s) {
979
979
  if (p.isSvelteKitError(s) || p.isSvelteKitRedirect(s)) throw s;
980
- const a = c.asCrossauthError(s);
981
- return d.logger.debug(u({ err: a })), d.logger.debug(u({ cerr: a, msg: "Error receiving tokens" })), r.errorFn(r.server, o, a);
980
+ const i = c.asCrossauthError(s);
981
+ return d.logger.debug(u({ err: i })), d.logger.debug(u({ cerr: i, msg: "Error receiving tokens" })), r.errorFn(r.server, o, i);
982
982
  }
983
983
  }
984
984
  async function he(k, r, o, t, e) {
@@ -999,8 +999,8 @@ async function he(k, r, o, t, e) {
999
999
  return v({ ok: !0, ...k });
1000
1000
  } catch (s) {
1001
1001
  if (p.isSvelteKitError(s) || p.isSvelteKitRedirect(s)) throw s;
1002
- const a = c.asCrossauthError(s);
1003
- return d.logger.debug(u({ err: a })), d.logger.debug(u({ cerr: a, msg: "Error receiving tokens" })), r.errorFn(r.server, o, a);
1002
+ const i = c.asCrossauthError(s);
1003
+ return d.logger.debug(u({ err: i })), d.logger.debug(u({ cerr: i, msg: "Error receiving tokens" })), r.errorFn(r.server, o, i);
1004
1004
  }
1005
1005
  }
1006
1006
  async function ue(k, r, o, t, e) {
@@ -1020,11 +1020,11 @@ async function ue(k, r, o, t, e) {
1020
1020
  return r.jwtTokens.includes("id") && (s.id_payload = O(k.id_token)), s.id_payload && await e(o, s.id_payload), s;
1021
1021
  } catch (s) {
1022
1022
  if (p.isSvelteKitError(s) || p.isSvelteKitRedirect(s)) throw s;
1023
- const a = c.asCrossauthError(s);
1024
- return d.logger.debug(u({ err: a })), d.logger.debug(u({ cerr: a, msg: "Error receiving tokens" })), {
1023
+ const i = c.asCrossauthError(s);
1024
+ return d.logger.debug(u({ err: i })), d.logger.debug(u({ cerr: i, msg: "Error receiving tokens" })), {
1025
1025
  ok: !1,
1026
- error: a.oauthErrorCode,
1027
- error_description: a.message
1026
+ error: i.oauthErrorCode,
1027
+ error_description: i.message
1028
1028
  };
1029
1029
  }
1030
1030
  }
@@ -1060,35 +1060,35 @@ class G extends re {
1060
1060
  * @param options See {@link SvelteKitOAuthClientOptions}
1061
1061
  */
1062
1062
  constructor(r, o, t) {
1063
- if (super(o, t), this.sessionDataName = "oauth", this.receiveTokenFn = J, this.errorFn = W, this.loginUrl = "/login", this.validFlows = [E.All], this.authorizedUrl = "", this.autoRefreshActive = {}, this.loginProtectedFlows = [], this.tokenResponseType = "sendJson", this.errorResponseType = "sendJson", this.bffEndpoints = [], this.bffEndpointName = "bff", this.tokenEndpoints = [], this.bffMaxTries = 1, this.bffSleepMilliseconds = 500, this.jwtTokens = ["access", "id", "refresh"], this.testMiddleware = !1, this.testEvent = void 0, this.authorizationCodeFlowEndpoint = {
1063
+ if (super(o, t), this.sessionDataName = "oauth", this.receiveTokenFn = J, this.errorFn = W, this.loginUrl = "/login", this.validFlows = [_.All], this.authorizedUrl = "", this.autoRefreshActive = {}, this.loginProtectedFlows = [], this.tokenResponseType = "sendJson", this.errorResponseType = "sendJson", this.bffEndpoints = [], this.bffEndpointName = "bff", this.tokenEndpoints = [], this.bffMaxTries = 1, this.bffSleepMilliseconds = 500, this.jwtTokens = ["access", "id", "refresh"], this.testMiddleware = !1, this.testEvent = void 0, this.authorizationCodeFlowEndpoint = {
1064
1064
  get: async (e) => {
1065
1065
  if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
1066
1066
  const s = new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
1067
1067
  return this.errorFn(this.server, e, s);
1068
1068
  }
1069
1069
  try {
1070
- if (!this.validFlows.includes(E.AuthorizationCode)) {
1070
+ if (!this.validFlows.includes(_.AuthorizationCode)) {
1071
1071
  const l = new c(h.Unauthorized, "Authorization flow is not supported");
1072
1072
  return this.errorFn(this.server, e, l);
1073
1073
  }
1074
1074
  let s = e.url.searchParams.get("scope") ?? void 0;
1075
1075
  s == "" && (s = void 0);
1076
- const { url: a, error: i, error_description: n } = await this.startAuthorizationCodeFlow(s);
1077
- if (i || !a) {
1076
+ const { url: i, error: a, error_description: n } = await this.startAuthorizationCodeFlow(s);
1077
+ if (a || !i) {
1078
1078
  const l = c.fromOAuthError(
1079
- i ?? "server_error",
1079
+ a ?? "server_error",
1080
1080
  n
1081
1081
  );
1082
1082
  return await this.errorFn(this.server, e, l);
1083
1083
  }
1084
1084
  throw d.logger.debug(u({
1085
1085
  msg: "Authorization code flow: redirecting",
1086
- url: a
1087
- })), this.redirect(302, a);
1086
+ url: i
1087
+ })), this.redirect(302, i);
1088
1088
  } catch (s) {
1089
1089
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
1090
- const a = c.asCrossauthError(s);
1091
- return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, e, a);
1090
+ const i = c.asCrossauthError(s);
1091
+ return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, e, i);
1092
1092
  }
1093
1093
  },
1094
1094
  load: async (e) => {
@@ -1104,7 +1104,7 @@ class G extends re {
1104
1104
  };
1105
1105
  }
1106
1106
  try {
1107
- if (!this.validFlows.includes(E.AuthorizationCode)) {
1107
+ if (!this.validFlows.includes(_.AuthorizationCode)) {
1108
1108
  const l = new c(h.Unauthorized, "Authorization flow is not supported");
1109
1109
  return {
1110
1110
  ok: !1,
@@ -1114,10 +1114,10 @@ class G extends re {
1114
1114
  }
1115
1115
  let s = e.url.searchParams.get("scope") ?? void 0;
1116
1116
  s == "" && (s = void 0);
1117
- const { url: a, error: i, error_description: n } = await this.startAuthorizationCodeFlow(s);
1118
- if (i || !a) {
1117
+ const { url: i, error: a, error_description: n } = await this.startAuthorizationCodeFlow(s);
1118
+ if (a || !i) {
1119
1119
  const l = c.fromOAuthError(
1120
- i ?? "server_error",
1120
+ a ?? "server_error",
1121
1121
  n
1122
1122
  );
1123
1123
  return {
@@ -1128,15 +1128,15 @@ class G extends re {
1128
1128
  }
1129
1129
  throw d.logger.debug(u({
1130
1130
  msg: "Authorization code flow: redirecting",
1131
- url: a
1132
- })), this.redirect(302, a);
1131
+ url: i
1132
+ })), this.redirect(302, i);
1133
1133
  } catch (s) {
1134
1134
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
1135
- const a = c.asCrossauthError(s);
1135
+ const i = c.asCrossauthError(s);
1136
1136
  return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), {
1137
1137
  ok: !1,
1138
- error: a.oauthErrorCode,
1139
- error_description: a.message
1138
+ error: i.oauthErrorCode,
1139
+ error_description: i.message
1140
1140
  };
1141
1141
  }
1142
1142
  }
@@ -1147,31 +1147,31 @@ class G extends re {
1147
1147
  return this.errorFn(this.server, e, s);
1148
1148
  }
1149
1149
  try {
1150
- if (!this.validFlows.includes(E.AuthorizationCodeWithPKCE)) {
1150
+ if (!this.validFlows.includes(_.AuthorizationCodeWithPKCE)) {
1151
1151
  const l = new c(h.Unauthorized, "Authorization flow is not supported");
1152
1152
  return this.errorFn(this.server, e, l);
1153
1153
  }
1154
1154
  let s = e.url.searchParams.get("scope") ?? void 0;
1155
1155
  s == "" && (s = void 0);
1156
- const { url: a, error: i, error_description: n } = await this.startAuthorizationCodeFlow(s, !0);
1157
- if (i || !a) {
1156
+ const { url: i, error: a, error_description: n } = await this.startAuthorizationCodeFlow(s, !0);
1157
+ if (a || !i) {
1158
1158
  const l = c.fromOAuthError(
1159
- i ?? "server_error",
1159
+ a ?? "server_error",
1160
1160
  n
1161
1161
  );
1162
1162
  return await this.errorFn(this.server, e, l);
1163
1163
  }
1164
1164
  throw d.logger.debug(u({
1165
1165
  msg: "Authorization code flow: redirecting",
1166
- url: a
1167
- })), this.redirect(302, a);
1166
+ url: i
1167
+ })), this.redirect(302, i);
1168
1168
  } catch (s) {
1169
1169
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
1170
- const a = c.asCrossauthError(s);
1170
+ const i = c.asCrossauthError(s);
1171
1171
  return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), v({
1172
- error: a.oauthErrorCode,
1173
- error_description: a.message
1174
- }, { status: a.httpStatus });
1172
+ error: i.oauthErrorCode,
1173
+ error_description: i.message
1174
+ }, { status: i.httpStatus });
1175
1175
  }
1176
1176
  },
1177
1177
  load: async (e) => {
@@ -1187,7 +1187,7 @@ class G extends re {
1187
1187
  };
1188
1188
  }
1189
1189
  try {
1190
- if (!this.validFlows.includes(E.AuthorizationCodeWithPKCE)) {
1190
+ if (!this.validFlows.includes(_.AuthorizationCodeWithPKCE)) {
1191
1191
  const l = new c(h.Unauthorized, "Authorization flow is not supported");
1192
1192
  return {
1193
1193
  ok: !1,
@@ -1197,10 +1197,10 @@ class G extends re {
1197
1197
  }
1198
1198
  let s = e.url.searchParams.get("scope") ?? void 0;
1199
1199
  s == "" && (s = void 0);
1200
- const { url: a, error: i, error_description: n } = await this.startAuthorizationCodeFlow(s, !0);
1201
- if (i || !a) {
1200
+ const { url: i, error: a, error_description: n } = await this.startAuthorizationCodeFlow(s, !0);
1201
+ if (a || !i) {
1202
1202
  const l = c.fromOAuthError(
1203
- i ?? "server_error",
1203
+ a ?? "server_error",
1204
1204
  n
1205
1205
  );
1206
1206
  return {
@@ -1211,15 +1211,15 @@ class G extends re {
1211
1211
  }
1212
1212
  throw d.logger.debug(u({
1213
1213
  msg: "Authorization code flow: redirecting",
1214
- url: a
1215
- })), this.redirect(302, a);
1214
+ url: i
1215
+ })), this.redirect(302, i);
1216
1216
  } catch (s) {
1217
1217
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
1218
- const a = c.asCrossauthError(s);
1218
+ const i = c.asCrossauthError(s);
1219
1219
  return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), {
1220
1220
  ok: !1,
1221
- error: a.oauthErrorCode,
1222
- error_description: a.message
1221
+ error: i.oauthErrorCode,
1222
+ error_description: i.message
1223
1223
  };
1224
1224
  }
1225
1225
  }
@@ -1230,14 +1230,14 @@ class G extends re {
1230
1230
  return this.errorFn(this.server, e, s);
1231
1231
  }
1232
1232
  try {
1233
- if (!(this.validFlows.includes(E.AuthorizationCode) || this.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.validFlows.includes(E.OidcAuthorizationCode))) {
1233
+ if (!(this.validFlows.includes(_.AuthorizationCode) || this.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.validFlows.includes(_.OidcAuthorizationCode))) {
1234
1234
  const f = new c(h.Unauthorized, "Authorization flows are not supported");
1235
1235
  return this.errorFn(this.server, e, f);
1236
1236
  }
1237
- const s = e.url.searchParams.get("code") ?? "", a = e.url.searchParams.get("state") ?? void 0, i = e.url.searchParams.get("error") ?? void 0, n = e.url.searchParams.get("error") ?? void 0, l = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
1237
+ const s = e.url.searchParams.get("code") ?? "", i = e.url.searchParams.get("state") ?? void 0, a = e.url.searchParams.get("error") ?? void 0, n = e.url.searchParams.get("error") ?? void 0, l = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
1238
1238
  s,
1239
- a,
1240
1239
  i,
1240
+ a,
1241
1241
  n
1242
1242
  ));
1243
1243
  if (l.error) return this.errorFn(this.server, e, c.fromOAuthError(l.error, l.error_description));
@@ -1261,8 +1261,8 @@ class G extends re {
1261
1261
  );
1262
1262
  } catch (s) {
1263
1263
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
1264
- const a = c.asCrossauthError(s);
1265
- return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, e, a);
1264
+ const i = c.asCrossauthError(s);
1265
+ return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, e, i);
1266
1266
  }
1267
1267
  },
1268
1268
  load: async (e) => {
@@ -1278,7 +1278,7 @@ class G extends re {
1278
1278
  };
1279
1279
  }
1280
1280
  try {
1281
- if (!(this.validFlows.includes(E.AuthorizationCode) || this.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.validFlows.includes(E.OidcAuthorizationCode))) {
1281
+ if (!(this.validFlows.includes(_.AuthorizationCode) || this.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.validFlows.includes(_.OidcAuthorizationCode))) {
1282
1282
  const g = new c(h.Unauthorized, "Authorization flows are not supported");
1283
1283
  return {
1284
1284
  ok: !1,
@@ -1286,10 +1286,10 @@ class G extends re {
1286
1286
  error_description: g.message
1287
1287
  };
1288
1288
  }
1289
- const s = e.url.searchParams.get("code") ?? "", a = e.url.searchParams.get("state") ?? void 0, i = e.url.searchParams.get("error") ?? void 0, n = e.url.searchParams.get("error") ?? void 0, l = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
1289
+ const s = e.url.searchParams.get("code") ?? "", i = e.url.searchParams.get("state") ?? void 0, a = e.url.searchParams.get("error") ?? void 0, n = e.url.searchParams.get("error") ?? void 0, l = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
1290
1290
  s,
1291
- a,
1292
1291
  i,
1292
+ a,
1293
1293
  n
1294
1294
  ));
1295
1295
  if (l.error) return {
@@ -1332,33 +1332,33 @@ class G extends re {
1332
1332
  };
1333
1333
  } catch (s) {
1334
1334
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
1335
- const a = c.asCrossauthError(s);
1335
+ const i = c.asCrossauthError(s);
1336
1336
  return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), {
1337
1337
  ok: !1,
1338
- error: a.oauthErrorCode,
1339
- error_description: a.message
1338
+ error: i.oauthErrorCode,
1339
+ error_description: i.message
1340
1340
  };
1341
1341
  }
1342
1342
  }
1343
1343
  }, this.clientCredentialsFlowEndpoint = {
1344
1344
  post: async (e) => {
1345
1345
  if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
1346
- const i = new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
1347
- return this.errorFn(this.server, e, i);
1346
+ const a = new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
1347
+ return this.errorFn(this.server, e, a);
1348
1348
  }
1349
1349
  let s;
1350
1350
  try {
1351
- if (!this.validFlows.includes(E.ClientCredentials)) {
1351
+ if (!this.validFlows.includes(_.ClientCredentials)) {
1352
1352
  const l = new c(h.Unauthorized, "Client credentials flow is not supported");
1353
1353
  return this.errorFn(this.server, e, l);
1354
1354
  }
1355
- var a = new b();
1356
- await a.loadData(e), s = a.toObject();
1357
- const i = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(s == null ? void 0 : s.scope));
1358
- if (i.error) {
1355
+ var i = new b();
1356
+ await i.loadData(e), s = i.toObject();
1357
+ const a = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(s == null ? void 0 : s.scope));
1358
+ if (a.error) {
1359
1359
  const l = c.fromOAuthError(
1360
- i.error,
1361
- i.error_description
1360
+ a.error,
1361
+ a.error_description
1362
1362
  );
1363
1363
  return await this.errorFn(
1364
1364
  this.server,
@@ -1367,17 +1367,17 @@ class G extends re {
1367
1367
  );
1368
1368
  }
1369
1369
  const n = await this.receiveTokenFn(
1370
- i,
1370
+ a,
1371
1371
  this,
1372
1372
  e,
1373
1373
  !1,
1374
1374
  this.setEventLocalsUser
1375
1375
  );
1376
1376
  return n instanceof Response ? n : this.pack(n);
1377
- } catch (i) {
1378
- if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
1379
- const n = c.asCrossauthError(i);
1380
- return d.logger.debug({ err: i }), d.logger.error({ cerr: i }), this.errorFn(this.server, e, n);
1377
+ } catch (a) {
1378
+ if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
1379
+ const n = c.asCrossauthError(a);
1380
+ return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), this.errorFn(this.server, e, n);
1381
1381
  }
1382
1382
  },
1383
1383
  actions: {
@@ -1389,27 +1389,27 @@ class G extends re {
1389
1389
  throw new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
1390
1390
  let s;
1391
1391
  try {
1392
- if (!this.validFlows.includes(E.ClientCredentials))
1392
+ if (!this.validFlows.includes(_.ClientCredentials))
1393
1393
  throw new c(h.Unauthorized, "Client credentials flow is not supported");
1394
- var a = new b();
1395
- await a.loadData(e), s = a.toObject();
1396
- const i = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(s == null ? void 0 : s.scope));
1397
- if (i.error)
1394
+ var i = new b();
1395
+ await i.loadData(e), s = i.toObject();
1396
+ const a = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(s == null ? void 0 : s.scope));
1397
+ if (a.error)
1398
1398
  throw c.fromOAuthError(
1399
- i.error,
1400
- i.error_description
1399
+ a.error,
1400
+ a.error_description
1401
1401
  );
1402
1402
  return await this.receiveTokenFn(
1403
- i,
1403
+ a,
1404
1404
  this,
1405
1405
  e,
1406
1406
  !1,
1407
1407
  this.setEventLocalsUser
1408
1408
  ) ?? {};
1409
- } catch (i) {
1410
- if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
1411
- const n = c.asCrossauthError(i);
1412
- return d.logger.debug({ err: i }), d.logger.error({ cerr: i }), {
1409
+ } catch (a) {
1410
+ if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
1411
+ const n = c.asCrossauthError(a);
1412
+ return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), {
1413
1413
  ok: !1,
1414
1414
  error: n.oauthErrorCode,
1415
1415
  error_description: n.message
@@ -1420,17 +1420,17 @@ class G extends re {
1420
1420
  }, this.refreshTokenFlowEndpoint = {
1421
1421
  post: async (e) => {
1422
1422
  if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
1423
- const i = new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
1424
- return this.errorFn(this.server, e, i);
1423
+ const a = new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
1424
+ return this.errorFn(this.server, e, a);
1425
1425
  }
1426
1426
  let s;
1427
1427
  try {
1428
- if (!this.validFlows.includes(E.RefreshToken)) {
1428
+ if (!this.validFlows.includes(_.RefreshToken)) {
1429
1429
  const f = new c(h.Unauthorized, "Refresh token flow is not supported");
1430
1430
  return this.errorFn(this.server, e, f);
1431
1431
  }
1432
- var a = new b();
1433
- if (await a.loadData(e), s = a.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
1432
+ var i = new b();
1433
+ if (await i.loadData(e), s = i.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
1434
1434
  try {
1435
1435
  if (!this.server.sessionAdapter.getCsrfToken(e))
1436
1436
  throw new c(h.InvalidCsrf);
@@ -1439,8 +1439,8 @@ class G extends re {
1439
1439
  const g = new c(h.Unauthorized, "CSRF token not present");
1440
1440
  return this.errorFn(this.server, e, g);
1441
1441
  }
1442
- let i = s.refresh_token;
1443
- if (!i && this.server.sessionAdapter) {
1442
+ let a = s.refresh_token;
1443
+ if (!a && this.server.sessionAdapter) {
1444
1444
  const f = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
1445
1445
  if (!(f != null && f.refresh_token)) {
1446
1446
  const g = new c(
@@ -1449,16 +1449,16 @@ class G extends re {
1449
1449
  );
1450
1450
  return this.errorFn(this.server, e, g);
1451
1451
  }
1452
- i = f.refresh_token;
1452
+ a = f.refresh_token;
1453
1453
  }
1454
- if (!i) {
1454
+ if (!a) {
1455
1455
  const f = new c(
1456
1456
  h.BadRequest,
1457
1457
  "No refresh token supplied"
1458
1458
  );
1459
1459
  return this.errorFn(this.server, e, f);
1460
1460
  }
1461
- const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), l = await this.receiveTokenFn(
1461
+ const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(a)), l = await this.receiveTokenFn(
1462
1462
  n,
1463
1463
  this,
1464
1464
  e,
@@ -1467,10 +1467,10 @@ class G extends re {
1467
1467
  );
1468
1468
  if (n && l instanceof Response) return l;
1469
1469
  throw new c(h.UnknownError, "Receive token function did not return a Response");
1470
- } catch (i) {
1471
- if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
1472
- const n = c.asCrossauthError(i);
1473
- return d.logger.debug({ err: i }), d.logger.error({ cerr: i }), this.errorFn(this.server, e, n);
1470
+ } catch (a) {
1471
+ if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
1472
+ const n = c.asCrossauthError(a);
1473
+ return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), this.errorFn(this.server, e, n);
1474
1474
  }
1475
1475
  },
1476
1476
  actions: {
@@ -1482,34 +1482,34 @@ class G extends re {
1482
1482
  throw new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
1483
1483
  let s;
1484
1484
  try {
1485
- if (!this.validFlows.includes(E.RefreshToken)) {
1485
+ if (!this.validFlows.includes(_.RefreshToken)) {
1486
1486
  const f = new c(h.Unauthorized, "Refresh token flow is not supported");
1487
1487
  return this.errorFn(this.server, e, f);
1488
1488
  }
1489
- var a = new b();
1490
- if (await a.loadData(e), s = a.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
1489
+ var i = new b();
1490
+ if (await i.loadData(e), s = i.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
1491
1491
  try {
1492
1492
  if (!this.server.sessionAdapter.getCsrfToken(e))
1493
1493
  throw new c(h.InvalidCsrf);
1494
1494
  } catch (f) {
1495
1495
  throw p.isSvelteKitError(f) || p.isSvelteKitRedirect(f) ? f : new c(h.Unauthorized, "CSRF token not present");
1496
1496
  }
1497
- let i = s.refresh_token;
1498
- if (!i && this.server.sessionAdapter) {
1497
+ let a = s.refresh_token;
1498
+ if (!a && this.server.sessionAdapter) {
1499
1499
  const f = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
1500
1500
  if (!(f != null && f.refresh_token))
1501
1501
  throw new c(
1502
1502
  h.BadRequest,
1503
1503
  "No refresh token in session or in parameters"
1504
1504
  );
1505
- i = f.refresh_token;
1505
+ a = f.refresh_token;
1506
1506
  }
1507
- if (!i)
1507
+ if (!a)
1508
1508
  throw new c(
1509
1509
  h.BadRequest,
1510
1510
  "No refresh token supplied"
1511
1511
  );
1512
- const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), l = await this.receiveTokenFn(
1512
+ const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(a)), l = await this.receiveTokenFn(
1513
1513
  n,
1514
1514
  this,
1515
1515
  e,
@@ -1518,10 +1518,10 @@ class G extends re {
1518
1518
  ) ?? {};
1519
1519
  if (l instanceof Response) throw new c(h.Configuration, "Refresh token flow should return an object not Response");
1520
1520
  return l;
1521
- } catch (i) {
1522
- if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
1523
- const n = c.asCrossauthError(i);
1524
- return d.logger.debug({ err: i }), d.logger.error({ cerr: i }), {
1521
+ } catch (a) {
1522
+ if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
1523
+ const n = c.asCrossauthError(a);
1524
+ return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), {
1525
1525
  ok: !1,
1526
1526
  error: n.oauthErrorCode,
1527
1527
  error_description: n.message
@@ -1570,8 +1570,8 @@ class G extends re {
1570
1570
  post: async (e) => {
1571
1571
  const s = await this.startDeviceCodeFlow_internal(e);
1572
1572
  if (s.error) {
1573
- const a = c.fromOAuthError(s.error, s.error_description);
1574
- return v(s, { status: a.httpStatus });
1573
+ const i = c.fromOAuthError(s.error, s.error_description);
1574
+ return v(s, { status: i.httpStatus });
1575
1575
  }
1576
1576
  return v(s);
1577
1577
  }
@@ -1587,40 +1587,40 @@ class G extends re {
1587
1587
  if (s instanceof Response) return s;
1588
1588
  if (s == null) return new Response(null, { status: 204 });
1589
1589
  if (s.error) {
1590
- const a = c.fromOAuthError(s.error, s.error_description);
1591
- return v(s, { status: a.httpStatus });
1590
+ const i = c.fromOAuthError(s.error, s.error_description);
1591
+ return v(s, { status: i.httpStatus });
1592
1592
  }
1593
1593
  return v(s);
1594
1594
  }
1595
1595
  }, this.passwordFlowEndpoint = {
1596
- post: async (e) => await this.passwordFlow_post(e, (s, a) => this.passwordPost(s, a)),
1596
+ post: async (e) => await this.passwordFlow_post(e, (s, i) => this.passwordPost(s, i)),
1597
1597
  actions: {
1598
- password: async (e) => await this.passwordFlow_action(e, (s, a) => this.passwordPost(s, a)),
1599
- passwordOtp: async (e) => await this.passwordFlow_action(e, (s, a) => this.passwordOtp(s, a)),
1600
- passwordOob: async (e) => await this.passwordFlow_action(e, (s, a) => this.passwordOob(s, a))
1598
+ password: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordPost(s, i)),
1599
+ passwordOtp: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordOtp(s, i)),
1600
+ passwordOob: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordOob(s, i))
1601
1601
  }
1602
1602
  }, this.passwordOtpEndpoint = {
1603
- post: async (e) => await this.passwordFlow_post(e, (s, a) => this.passwordOtp(s, a)),
1603
+ post: async (e) => await this.passwordFlow_post(e, (s, i) => this.passwordOtp(s, i)),
1604
1604
  actions: {
1605
- default: async (e) => await this.passwordFlow_action(e, (s, a) => this.passwordOtp(s, a))
1605
+ default: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordOtp(s, i))
1606
1606
  }
1607
1607
  }, this.passwordOobEndpoint = {
1608
- post: async (e) => await this.passwordFlow_post(e, (s, a) => this.passwordOob(s, a)),
1608
+ post: async (e) => await this.passwordFlow_post(e, (s, i) => this.passwordOob(s, i)),
1609
1609
  actions: {
1610
- default: async (e) => await this.passwordFlow_action(e, (s, a) => this.passwordOob(s, a))
1610
+ default: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordOob(s, i))
1611
1611
  }
1612
1612
  }, this.deleteTokensEndpoint = {
1613
1613
  post: async (e) => {
1614
- var s, a;
1614
+ var s, i;
1615
1615
  try {
1616
1616
  return await this.deleteSessionData(e), v({ ok: !0 });
1617
- } catch (i) {
1618
- if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
1619
- const n = c.asCrossauthError(i);
1617
+ } catch (a) {
1618
+ if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
1619
+ const n = c.asCrossauthError(a);
1620
1620
  return d.logger.debug({ err: n }), d.logger.error({ cerr: n }), v({
1621
1621
  ok: !1,
1622
1622
  user: (s = this.server.sessionAdapter) == null ? void 0 : s.getUser(e),
1623
- csrfToken: (a = this.server.sessionAdapter) == null ? void 0 : a.getCsrfToken(e),
1623
+ csrfToken: (i = this.server.sessionAdapter) == null ? void 0 : i.getCsrfToken(e),
1624
1624
  errorCode: n.code,
1625
1625
  errorCodeName: n.codeName,
1626
1626
  errorMessage: n.message
@@ -1629,16 +1629,16 @@ class G extends re {
1629
1629
  },
1630
1630
  actions: {
1631
1631
  default: async (e) => {
1632
- var s, a;
1632
+ var s, i;
1633
1633
  try {
1634
1634
  return await this.deleteSessionData(e), { ok: !0 };
1635
- } catch (i) {
1636
- if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
1637
- const n = c.asCrossauthError(i);
1635
+ } catch (a) {
1636
+ if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
1637
+ const n = c.asCrossauthError(a);
1638
1638
  return d.logger.debug({ err: n }), d.logger.error({ cerr: n }), {
1639
1639
  ok: !1,
1640
1640
  user: (s = this.server.sessionAdapter) == null ? void 0 : s.getUser(e),
1641
- csrfToken: (a = this.server.sessionAdapter) == null ? void 0 : a.getCsrfToken(e),
1641
+ csrfToken: (i = this.server.sessionAdapter) == null ? void 0 : i.getCsrfToken(e),
1642
1642
  errorCode: n.code,
1643
1643
  errorCodeName: n.codeName,
1644
1644
  errorMessage: n.message
@@ -1709,9 +1709,9 @@ class G extends re {
1709
1709
  actions: {
1710
1710
  default: async (e) => await this.tokens(e, this.tokenEndpoints)
1711
1711
  }
1712
- }, this.server = r, y("sessionDataName", _.String, this, t, "OAUTH_SESSION_DATA_NAME"), y("tokenResponseType", _.String, this, t, "OAUTH_TOKEN_RESPONSE_TYPE"), y("errorResponseType", _.String, this, t, "OAUTH_ERROR_RESPONSE_TYPE"), y("loginUrl", _.String, this, t, "LOGIN_URL"), y("bffEndpointName", _.String, this, t, "OAUTH_BFF_ENDPOINT_NAME"), y("bffBaseUrl", _.String, this, t, "OAUTH_BFF_BASEURL"), y("redirect_uri", _.String, this, t, "OAUTH_REDIRECTURI", !0), y("authorizedUrl", _.String, this, t, "AUTHORIZED_URL", !1), y("validFlows", _.JsonArray, this, t, "OAUTH_validFlows"), y("bffMaxTries", _.Number, this, t, "OAUTH_BFF_MAX_RETRIES"), y("bffSleepMilliseconds", _.Number, this, t, "OAUTH_BFF_SLEEP_MILLISECONDS"), y("jwtTokens", _.JsonArray, this, t, "OAUTH_JWT_TOKENS"), this.bffEndpointName && !this.bffEndpointName.startsWith("/") && (this.bffEndpointName = "/" + this.bffEndpointName), this.bffEndpointName && this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), this.bffBaseUrl && this.bffBaseUrl.endsWith("/") && (this.bffBaseUrl = this.bffBaseUrl.substring(0, this.bffBaseUrl.length - 1)), t.redirect && (this.redirect = t.redirect), t.error && (this.error = t.error), this.validFlows.length == 1 && this.validFlows[0] == E.All)
1713
- this.validFlows = E.allFlows();
1714
- else if (!E.areAllValidFlows(this.validFlows))
1712
+ }, this.server = r, y("sessionDataName", E.String, this, t, "OAUTH_SESSION_DATA_NAME"), y("tokenResponseType", E.String, this, t, "OAUTH_TOKEN_RESPONSE_TYPE"), y("errorResponseType", E.String, this, t, "OAUTH_ERROR_RESPONSE_TYPE"), y("loginUrl", E.String, this, t, "LOGIN_URL"), y("bffEndpointName", E.String, this, t, "OAUTH_BFF_ENDPOINT_NAME"), y("bffBaseUrl", E.String, this, t, "OAUTH_BFF_BASEURL"), y("redirect_uri", E.String, this, t, "OAUTH_REDIRECTURI", !0), y("authorizedUrl", E.String, this, t, "AUTHORIZED_URL", !1), y("validFlows", E.JsonArray, this, t, "OAUTH_validFlows"), y("bffMaxTries", E.Number, this, t, "OAUTH_BFF_MAX_RETRIES"), y("bffSleepMilliseconds", E.Number, this, t, "OAUTH_BFF_SLEEP_MILLISECONDS"), y("jwtTokens", E.JsonArray, this, t, "OAUTH_JWT_TOKENS"), this.bffEndpointName && !this.bffEndpointName.startsWith("/") && (this.bffEndpointName = "/" + this.bffEndpointName), this.bffEndpointName && this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), this.bffBaseUrl && this.bffBaseUrl.endsWith("/") && (this.bffBaseUrl = this.bffBaseUrl.substring(0, this.bffBaseUrl.length - 1)), t.redirect && (this.redirect = t.redirect), t.error && (this.error = t.error), this.validFlows.length == 1 && this.validFlows[0] == _.All)
1713
+ this.validFlows = _.allFlows();
1714
+ else if (!_.areAllValidFlows(this.validFlows))
1715
1715
  throw new c(h.Configuration, "Invalid flows specificied in " + this.validFlows.join(","));
1716
1716
  try {
1717
1717
  new URL(this.redirect_uri ?? "");
@@ -1721,9 +1721,9 @@ class G extends re {
1721
1721
  if (t.tokenEndpoints && (this.tokenEndpoints = t.tokenEndpoints), this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), t.bffEndpoints && (this.bffEndpoints = t.bffEndpoints.map((e) => ({ ...e, methodsString: e.methods.map((s) => s) }))), this.bffEndpoints)
1722
1722
  for (let e of this.bffEndpoints)
1723
1723
  e.url.startsWith("/") || (e.url = "/" + e.url);
1724
- if (this.loginProtectedFlows.length == 1 && this.loginProtectedFlows[0] == E.All)
1724
+ if (this.loginProtectedFlows.length == 1 && this.loginProtectedFlows[0] == _.All)
1725
1725
  this.loginProtectedFlows = this.validFlows;
1726
- else if (!E.areAllValidFlows(this.loginProtectedFlows))
1726
+ else if (!_.areAllValidFlows(this.loginProtectedFlows))
1727
1727
  throw new c(
1728
1728
  h.Configuration,
1729
1729
  "Invalid flows specificied in " + this.loginProtectedFlows.join(",")
@@ -1753,8 +1753,8 @@ class G extends re {
1753
1753
  if (e.locals.user || !r.sessionAdapter) return;
1754
1754
  let s = await r.sessionAdapter.getSessionData(e, this.sessionDataName);
1755
1755
  if (s && s.id_payload) {
1756
- let a = s.expires_at;
1757
- a && a > Date.now() && s.id_payload.sub && await this.setEventLocalsUser(e, s.id_payload);
1756
+ let i = s.expires_at;
1757
+ i && i > Date.now() && s.id_payload.sub && await this.setEventLocalsUser(e, s.id_payload);
1758
1758
  }
1759
1759
  this.testMiddleware && (this.testEvent = e);
1760
1760
  };
@@ -1787,12 +1787,12 @@ class G extends re {
1787
1787
  o.password,
1788
1788
  o.scope
1789
1789
  );
1790
- if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(E.PasswordMfa)) {
1790
+ if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(_.PasswordMfa)) {
1791
1791
  const s = e.mfa_token;
1792
- let a = o.scope;
1793
- if (a == "" && (a = void 0), e = this.errorIfIdTokenInvalid(await this.passwordMfa(
1792
+ let i = o.scope;
1793
+ if (i == "" && (i = void 0), e = this.errorIfIdTokenInvalid(await this.passwordMfa(
1794
1794
  s,
1795
- a,
1795
+ i,
1796
1796
  r
1797
1797
  )), e.error)
1798
1798
  throw c.fromOAuthError(
@@ -1828,11 +1828,11 @@ class G extends re {
1828
1828
  };
1829
1829
  const s = e.authenticators[0];
1830
1830
  if (s.authenticator_type == "otp") {
1831
- const i = await this.mfaOtpRequest(r, s.id);
1832
- if (i.error || i.challenge_type != "otp") {
1831
+ const a = await this.mfaOtpRequest(r, s.id);
1832
+ if (a.error || a.challenge_type != "otp") {
1833
1833
  const n = c.fromOAuthError(
1834
- i.error ?? "server_error",
1835
- i.error_description ?? "Invalid response from MFA OTP challenge"
1834
+ a.error ?? "server_error",
1835
+ a.error_description ?? "Invalid response from MFA OTP challenge"
1836
1836
  );
1837
1837
  return d.logger.debug({ err: n }), d.logger.error({ cerr: n }), {
1838
1838
  error: n.oauthErrorCode,
@@ -1842,14 +1842,14 @@ class G extends re {
1842
1842
  return {
1843
1843
  scope: o,
1844
1844
  mfa_token: r,
1845
- challenge_type: i.challenge_type
1845
+ challenge_type: a.challenge_type
1846
1846
  };
1847
1847
  } else if (s.authenticator_type == "oob") {
1848
- const i = await this.mfaOobRequest(r, s.id);
1849
- if (i.error || i.challenge_type != "oob" || !i.oob_code || i.binding_method != "prompt") {
1848
+ const a = await this.mfaOobRequest(r, s.id);
1849
+ if (a.error || a.challenge_type != "oob" || !a.oob_code || a.binding_method != "prompt") {
1850
1850
  const n = c.fromOAuthError(
1851
- i.error ?? "server_error",
1852
- i.error_description ?? "Invalid response from MFA OOB challenge"
1851
+ a.error ?? "server_error",
1852
+ a.error_description ?? "Invalid response from MFA OOB challenge"
1853
1853
  );
1854
1854
  return d.logger.debug({ err: n }), d.logger.error({ cerr: n }), {
1855
1855
  error: n.oauthErrorCode,
@@ -1860,19 +1860,19 @@ class G extends re {
1860
1860
  scope: o,
1861
1861
  mfa_token: r,
1862
1862
  oob_channel: s.oob_channel,
1863
- challenge_type: i.challenge_type,
1864
- binding_method: i.binding_method,
1865
- oob_code: i.oob_code,
1863
+ challenge_type: a.challenge_type,
1864
+ binding_method: a.binding_method,
1865
+ oob_code: a.oob_code,
1866
1866
  name: s.name
1867
1867
  };
1868
1868
  }
1869
- const a = new c(
1869
+ const i = new c(
1870
1870
  h.UnknownError,
1871
1871
  "Unsupported MFA type " + s.authenticator_type + " returned"
1872
1872
  );
1873
1873
  return {
1874
- error: a.oauthErrorCode,
1875
- error_description: a.message
1874
+ error: i.oauthErrorCode,
1875
+ error_description: i.message
1876
1876
  };
1877
1877
  }
1878
1878
  async passwordOtp(r, o) {
@@ -1908,7 +1908,7 @@ class G extends re {
1908
1908
  return e.error ? (d.logger.warn(u({
1909
1909
  msg: "Error completing MFA",
1910
1910
  user: (s = this.server.sessionAdapter) == null ? void 0 : s.getUser(r),
1911
- hashedMfaToken: o.mfa_token ? A.hash(o.mfa_token) : void 0
1911
+ hashedMfaToken: o.mfa_token ? F.hash(o.mfa_token) : void 0
1912
1912
  })), {
1913
1913
  error: e.error,
1914
1914
  error_description: e.error_description
@@ -1927,10 +1927,10 @@ class G extends re {
1927
1927
  if (o.locals.sessionId && this.autoRefreshActive[o.locals.sessionId]) return;
1928
1928
  try {
1929
1929
  o.locals.sessionId && (this.autoRefreshActive[o.locals.sessionId] = !0);
1930
- const a = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(e));
1931
- if (!a.error && !a.access_token && (a.error = "server_error", a.error_description = "Unexpectedly did not receive error or access token"), !a.error) {
1930
+ const i = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(e));
1931
+ if (!i.error && !i.access_token && (i.error = "server_error", i.error_description = "Unexpectedly did not receive error or access token"), !i.error) {
1932
1932
  const l = await this.receiveTokenFn(
1933
- a,
1933
+ i,
1934
1934
  this,
1935
1935
  o,
1936
1936
  r == "silent",
@@ -1940,43 +1940,43 @@ class G extends re {
1940
1940
  }
1941
1941
  if (r != "silent") {
1942
1942
  const l = c.fromOAuthError(
1943
- a.error ?? "server_error",
1944
- a.error_description
1943
+ i.error ?? "server_error",
1944
+ i.error_description
1945
1945
  );
1946
1946
  return r == "page" ? this.errorFn(this.server, o, l) : {
1947
1947
  error: l.oauthErrorCode,
1948
1948
  error_description: l.message
1949
1949
  };
1950
1950
  }
1951
- let i = a.expires_in;
1952
- if (!i && a.access_token) {
1953
- const l = K(a.access_token);
1954
- l.exp && (i = l.exp);
1951
+ let a = i.expires_in;
1952
+ if (!a && i.access_token) {
1953
+ const l = M(i.access_token);
1954
+ l.exp && (a = l.exp);
1955
1955
  }
1956
- if (!i)
1956
+ if (!a)
1957
1957
  throw new c(
1958
1958
  h.BadRequest,
1959
1959
  "OAuth server did not return an expiry for the access token"
1960
1960
  );
1961
- const n = (/* @__PURE__ */ new Date()).getTime() + i * 1e3;
1961
+ const n = (/* @__PURE__ */ new Date()).getTime() + a * 1e3;
1962
1962
  return {
1963
- access_token: a.access_token,
1964
- refresh_token: a.refresh_token,
1965
- expires_in: a.expires_in,
1963
+ access_token: i.access_token,
1964
+ refresh_token: i.refresh_token,
1965
+ expires_in: i.expires_in,
1966
1966
  expires_at: n,
1967
- error: a.error,
1968
- error_description: a.error_description
1967
+ error: i.error,
1968
+ error_description: i.error_description
1969
1969
  };
1970
- } catch (a) {
1971
- if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
1972
- if (d.logger.debug(u({ err: a })), d.logger.error(u({
1973
- cerr: a,
1970
+ } catch (i) {
1971
+ if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
1972
+ if (d.logger.debug(u({ err: i })), d.logger.error(u({
1973
+ cerr: i,
1974
1974
  msg: "Failed refreshing access token"
1975
1975
  })), r != "silent") {
1976
- const i = c.asCrossauthError(a);
1977
- return r == "page" ? this.errorFn(this.server, o, i) : {
1978
- error: i.oauthErrorCode,
1979
- error_description: i.message
1976
+ const a = c.asCrossauthError(i);
1977
+ return r == "page" ? this.errorFn(this.server, o, a) : {
1978
+ error: a.oauthErrorCode,
1979
+ error_description: a.message
1980
1980
  };
1981
1981
  }
1982
1982
  return {
@@ -2052,17 +2052,17 @@ class G extends re {
2052
2052
  }
2053
2053
  let t;
2054
2054
  try {
2055
- if (!(this.validFlows.includes(E.Password) || this.validFlows.includes(E.PasswordMfa))) {
2056
- const i = new c(h.Unauthorized, "Password flow is not supported");
2057
- return this.errorFn(this.server, r, i);
2055
+ if (!(this.validFlows.includes(_.Password) || this.validFlows.includes(_.PasswordMfa))) {
2056
+ const a = new c(h.Unauthorized, "Password flow is not supported");
2057
+ return this.errorFn(this.server, r, a);
2058
2058
  }
2059
2059
  var e = new b();
2060
2060
  if (await e.loadData(r), t = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
2061
2061
  try {
2062
2062
  if (!this.server.sessionAdapter.getCsrfToken(r))
2063
2063
  throw new c(h.InvalidCsrf);
2064
- } catch (i) {
2065
- if (p.isSvelteKitError(i) || p.isSvelteKitRedirect(i)) throw i;
2064
+ } catch (a) {
2065
+ if (p.isSvelteKitError(a) || p.isSvelteKitRedirect(a)) throw a;
2066
2066
  const n = new c(h.Unauthorized, "CSRF token not present");
2067
2067
  return this.errorFn(this.server, r, n);
2068
2068
  }
@@ -2072,19 +2072,19 @@ class G extends re {
2072
2072
  ok: !1,
2073
2073
  ...s
2074
2074
  };
2075
- const a = await this.receiveTokenFn(
2075
+ const i = await this.receiveTokenFn(
2076
2076
  s,
2077
2077
  this,
2078
2078
  r,
2079
2079
  !1,
2080
2080
  this.setEventLocalsUser
2081
2081
  );
2082
- if (s && a instanceof Response) return a;
2082
+ if (s && i instanceof Response) return i;
2083
2083
  throw new c(h.UnknownError, "Receive token function did not return a Response");
2084
2084
  } catch (s) {
2085
2085
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
2086
- const a = c.asCrossauthError(s);
2087
- return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, r, a);
2086
+ const i = c.asCrossauthError(s);
2087
+ return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, r, i);
2088
2088
  }
2089
2089
  }
2090
2090
  async passwordFlow_action(r, o) {
@@ -2095,17 +2095,17 @@ class G extends re {
2095
2095
  throw new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
2096
2096
  let t;
2097
2097
  try {
2098
- if (!(this.validFlows.includes(E.Password) || this.validFlows.includes(E.PasswordMfa))) {
2099
- const i = new c(h.Unauthorized, "Password and Password MFA flows are not supported");
2100
- return this.errorFn(this.server, r, i);
2098
+ if (!(this.validFlows.includes(_.Password) || this.validFlows.includes(_.PasswordMfa))) {
2099
+ const a = new c(h.Unauthorized, "Password and Password MFA flows are not supported");
2100
+ return this.errorFn(this.server, r, a);
2101
2101
  }
2102
2102
  var e = new b();
2103
2103
  if (await e.loadData(r), t = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
2104
2104
  try {
2105
2105
  if (!this.server.sessionAdapter.getCsrfToken(r))
2106
2106
  throw new c(h.InvalidCsrf);
2107
- } catch (i) {
2108
- throw p.isSvelteKitError(i) || p.isSvelteKitRedirect(i) ? i : new c(h.Unauthorized, "CSRF token not present");
2107
+ } catch (a) {
2108
+ throw p.isSvelteKitError(a) || p.isSvelteKitRedirect(a) ? a : new c(h.Unauthorized, "CSRF token not present");
2109
2109
  }
2110
2110
  const s = await o(r, t);
2111
2111
  if (!s) throw new c(h.UnknownError, "Password flow returned no data");
@@ -2115,28 +2115,28 @@ class G extends re {
2115
2115
  ...s
2116
2116
  };
2117
2117
  if (s.challenge_type) {
2118
- if (!this.validFlows.includes(E.PasswordMfa)) {
2119
- const i = new c(h.Unauthorized, "Password MFA flow is not supported");
2120
- return this.errorFn(this.server, r, i);
2118
+ if (!this.validFlows.includes(_.PasswordMfa)) {
2119
+ const a = new c(h.Unauthorized, "Password MFA flow is not supported");
2120
+ return this.errorFn(this.server, r, a);
2121
2121
  }
2122
2122
  return s;
2123
2123
  }
2124
- const a = await this.receiveTokenFn(
2124
+ const i = await this.receiveTokenFn(
2125
2125
  s,
2126
2126
  this,
2127
2127
  r,
2128
2128
  !1,
2129
2129
  this.setEventLocalsUser
2130
2130
  ) ?? {};
2131
- if (a instanceof Response) throw new c(h.Configuration, "Refresh token flow should return an object not Response");
2132
- return a;
2131
+ if (i instanceof Response) throw new c(h.Configuration, "Refresh token flow should return an object not Response");
2132
+ return i;
2133
2133
  } catch (s) {
2134
2134
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
2135
- const a = c.asCrossauthError(s);
2135
+ const i = c.asCrossauthError(s);
2136
2136
  return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), {
2137
2137
  ok: !1,
2138
- error: a.oauthErrorCode,
2139
- error_description: a.message
2138
+ error: i.oauthErrorCode,
2139
+ error_description: i.message
2140
2140
  };
2141
2141
  }
2142
2142
  }
@@ -2162,30 +2162,30 @@ class G extends re {
2162
2162
  let s = o.url;
2163
2163
  if (!s) {
2164
2164
  if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new c(h.Unauthorized, "Attempt to call BFF url with the wrong prefix");
2165
- const a = r.url.pathname.substring(this.bffEndpointName.length);
2166
- let i = ((e = r.url.searchParams) == null ? void 0 : e.toString()) ?? void 0;
2167
- i && i != "" && (i = "?" + i), s = new URL(this.bffBaseUrl + a + i);
2165
+ const i = r.url.pathname.substring(this.bffEndpointName.length);
2166
+ let a = ((e = r.url.searchParams) == null ? void 0 : e.toString()) ?? void 0;
2167
+ a && a != "" && (a = "?" + a), s = new URL(this.bffBaseUrl + i + a);
2168
2168
  }
2169
2169
  o.headers || (o.headers = new Headers());
2170
- for (let a = 0; a < this.bffMaxTries; ++a) {
2171
- a > 0 && await new Promise((g) => setTimeout(g, this.bffSleepMilliseconds));
2172
- const i = await this.server.sessionAdapter.getSessionData(
2170
+ for (let i = 0; i < this.bffMaxTries; ++i) {
2171
+ i > 0 && await new Promise((g) => setTimeout(g, this.bffSleepMilliseconds));
2172
+ const a = await this.server.sessionAdapter.getSessionData(
2173
2173
  r,
2174
2174
  this.sessionDataName
2175
2175
  );
2176
- if (!i) {
2177
- if (a == this.bffMaxTries)
2176
+ if (!a) {
2177
+ if (i == this.bffMaxTries)
2178
2178
  throw new c(h.Unauthorized, "No access token found");
2179
2179
  continue;
2180
2180
  }
2181
- let n = i.access_token;
2182
- if (i && i.access_token) {
2181
+ let n = a.access_token;
2182
+ if (a && a.access_token) {
2183
2183
  const g = await this.refresh(
2184
2184
  "silent",
2185
2185
  r,
2186
2186
  !0,
2187
- i.refresh_token,
2188
- i.expires_at
2187
+ a.refresh_token,
2188
+ a.expires_at
2189
2189
  );
2190
2190
  if (g instanceof Response) throw new c(h.Configuration, "Expected object when refreshing tokens, not Response");
2191
2191
  if (g != null && g.access_token)
@@ -2207,7 +2207,7 @@ class G extends re {
2207
2207
  headers: o.headers,
2208
2208
  method: o.method ?? r.request.method
2209
2209
  }), l.status == 401) {
2210
- if (a < this.bffMaxTries - 1)
2210
+ if (i < this.bffMaxTries - 1)
2211
2211
  continue;
2212
2212
  return l;
2213
2213
  } else
@@ -2216,11 +2216,11 @@ class G extends re {
2216
2216
  return new Response(null, { status: 401 });
2217
2217
  } catch (s) {
2218
2218
  if (p.isSvelteKitError(s) || p.isSvelteKitRedirect(s)) throw s;
2219
- const a = c.asCrossauthError(s);
2220
- return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), v({
2221
- error: a.oauthErrorCode,
2222
- error_description: a.message
2223
- }, { status: a.httpStatus });
2219
+ const i = c.asCrossauthError(s);
2220
+ return d.logger.debug({ err: i }), d.logger.error({ cerr: i }), v({
2221
+ error: i.oauthErrorCode,
2222
+ error_description: i.message
2223
+ }, { status: i.httpStatus });
2224
2224
  }
2225
2225
  }
2226
2226
  async unpack(r) {
@@ -2258,16 +2258,16 @@ class G extends re {
2258
2258
  const t = r.url.pathname.substring(this.bffEndpointName.length);
2259
2259
  let e;
2260
2260
  for (let s = 0; s < this.bffEndpoints.length; ++s) {
2261
- let a = this.bffEndpoints[s];
2262
- if (a.matchSubUrls) {
2263
- let i = a.url, n = a.url;
2264
- if (n.endsWith("/") || (n += "/"), a.methodsString.includes(r.request.method) && (t.startsWith(n) || t == i)) {
2261
+ let i = this.bffEndpoints[s];
2262
+ if (i.matchSubUrls) {
2263
+ let a = i.url, n = i.url;
2264
+ if (n.endsWith("/") || (n += "/"), i.methodsString.includes(r.request.method) && (t.startsWith(n) || t == a)) {
2265
2265
  e = s;
2266
2266
  break;
2267
2267
  }
2268
2268
  } else {
2269
- let i = a.url;
2270
- if (a.methodsString.includes(r.request.method) && t == i) {
2269
+ let a = i.url;
2270
+ if (i.methodsString.includes(r.request.method) && t == a) {
2271
2271
  e = s;
2272
2272
  break;
2273
2273
  }
@@ -2297,23 +2297,23 @@ class G extends re {
2297
2297
  if (!this.tokenEndpoints || this.tokenEndpoints.length == 0)
2298
2298
  throw new c(h.Unauthorized, "No tokens have been made available");
2299
2299
  let s = Array.isArray(o) ? o : [o];
2300
- const a = await this.server.sessionAdapter.getSessionData(
2300
+ const i = await this.server.sessionAdapter.getSessionData(
2301
2301
  r,
2302
2302
  this.sessionDataName
2303
2303
  );
2304
- if (!a)
2304
+ if (!i)
2305
2305
  throw new c(h.Unauthorized, "No access token found");
2306
- let i = {}, n, l = !1;
2306
+ let a = {}, n, l = !1;
2307
2307
  for (let f of s) {
2308
2308
  if (!this.tokenEndpoints.includes(f)) throw new c(h.Unauthorized, "Token type " + f + " may not be returned");
2309
2309
  l = !1;
2310
2310
  let g = f;
2311
2311
  f.startsWith("have_") && (g = f.replace("have_", ""), l = !0);
2312
- const m = g.replace("_token", ""), w = e && this.jwtTokens.includes(m);
2313
- let S = this.tokenPayload(g, a, l, w);
2314
- l ? i[f] = S.ok : S && (i[f] = S), n = i[f];
2312
+ const w = g.replace("_token", ""), m = e && this.jwtTokens.includes(w);
2313
+ let S = this.tokenPayload(g, i, l, m);
2314
+ l ? a[f] = S.ok : S && (a[f] = S), n = a[f];
2315
2315
  }
2316
- return Array.isArray(o) ? { status: 200, body: i } : n ? l ? { status: 200, body: typeof n == "boolean" ? { ok: n } : n } : { status: 200, body: n } : o.startsWith("have_") ? { status: 200, body: { ok: !1 } } : { status: 204 };
2316
+ return Array.isArray(o) ? { status: 200, body: a } : n ? l ? { status: 200, body: typeof n == "boolean" ? { ok: n } : n } : { status: 200, body: n } : o.startsWith("have_") ? { status: 200, body: { ok: !1 } } : { status: 204 };
2317
2317
  } catch (t) {
2318
2318
  if (p.isSvelteKitError(t) || p.isSvelteKitRedirect(t)) throw t;
2319
2319
  const e = c.asCrossauthError(t);
@@ -2330,7 +2330,7 @@ class G extends re {
2330
2330
  async startDeviceCodeFlow_internal(r) {
2331
2331
  let o;
2332
2332
  try {
2333
- if (!this.validFlows.includes(E.DeviceCode))
2333
+ if (!this.validFlows.includes(_.DeviceCode))
2334
2334
  throw new c(h.Unauthorized, "Device code flow is not supported");
2335
2335
  var t = new b();
2336
2336
  if (await t.loadData(r), o = t.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
@@ -2344,13 +2344,13 @@ class G extends re {
2344
2344
  e == "" && (e = void 0);
2345
2345
  let s = this.authServerBaseUrl;
2346
2346
  s.endsWith("/") || (s += "/"), s += this.deviceAuthorizationUrl;
2347
- const a = await this.startDeviceCodeFlow(s, e);
2348
- let i;
2349
- return a.verification_uri_complete && await ae.toDataURL(a.verification_uri_complete).then((n) => {
2350
- i = n;
2347
+ const i = await this.startDeviceCodeFlow(s, e);
2348
+ let a;
2349
+ return i.verification_uri_complete && await ae.toDataURL(i.verification_uri_complete).then((n) => {
2350
+ a = n;
2351
2351
  }).catch((n) => {
2352
2352
  d.logger.debug(u({ err: n })), d.logger.warn(u({ msg: "Couldn't generate verification URL QR Code" }));
2353
- }), i ? { verification_uri_qrdata: i, ...a } : a;
2353
+ }), a ? { verification_uri_qrdata: a, ...i } : i;
2354
2354
  } catch (e) {
2355
2355
  if (p.isSvelteKitRedirect(e) || p.isSvelteKitError(e)) throw e;
2356
2356
  const s = c.asCrossauthError(e);
@@ -2363,15 +2363,15 @@ class G extends re {
2363
2363
  async pollDeviceCodeFlow_internal(r) {
2364
2364
  let o;
2365
2365
  try {
2366
- if (!this.validFlows.includes(E.DeviceCode))
2366
+ if (!this.validFlows.includes(_.DeviceCode))
2367
2367
  throw new c(h.Unauthorized, "Device code flow is not supported");
2368
2368
  var t = new b();
2369
2369
  if (await t.loadData(r), o = t.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
2370
2370
  try {
2371
2371
  if (!this.server.sessionAdapter.getCsrfToken(r))
2372
2372
  throw new c(h.InvalidCsrf);
2373
- } catch (a) {
2374
- throw p.isSvelteKitError(a) || p.isSvelteKitRedirect(a) ? a : new c(h.Unauthorized, "CSRF token not present");
2373
+ } catch (i) {
2374
+ throw p.isSvelteKitError(i) || p.isSvelteKitRedirect(i) ? i : new c(h.Unauthorized, "CSRF token not present");
2375
2375
  }
2376
2376
  let e = o.device_code;
2377
2377
  if (!e) throw new c(h.BadRequest, "No device code given when polling for user authorization");
@@ -2386,8 +2386,8 @@ class G extends re {
2386
2386
  );
2387
2387
  {
2388
2388
  if (s.error == "authorization_pending") return { ok: !0, ...s };
2389
- let a = s.error ?? "server_error", i = s.error_description ?? "Didn't receive an access token";
2390
- const n = c.fromOAuthError(a, i);
2389
+ let i = s.error ?? "server_error", a = s.error_description ?? "Didn't receive an access token";
2390
+ const n = c.fromOAuthError(i, a);
2391
2391
  return this.errorFn(this.server, r, n);
2392
2392
  }
2393
2393
  } catch (e) {
@@ -2428,19 +2428,19 @@ class ge extends se {
2428
2428
  * @param options See {@link SvelteKitOAuthResourceServerOptions}
2429
2429
  */
2430
2430
  constructor(r, o = {}) {
2431
- if (super(r, o), this.errorBody = {}, this.protectedEndpoints = {}, this.sessionDataName = "oauth", this.tokenLocations = ["header"], y("errorBody", _.Json, this, o, "OAUTH_RESSERVER_ACCESS_DENIED_BODY"), y("tokenLocations", _.JsonArray, this, o, "OAUTH_TOKEN_LOCATIONS"), y("sessionDataName", _.String, this, o, "OAUTH_SESSION_DATA_NAME"), this.userStorage = o.userStorage, this.sessionAdapter = o.sessionAdapter, o.protectedEndpoints) {
2431
+ if (super(r, o), this.errorBody = {}, this.protectedEndpoints = {}, this.sessionDataName = "oauth", this.tokenLocations = ["header"], y("errorBody", E.Json, this, o, "OAUTH_RESSERVER_ACCESS_DENIED_BODY"), y("tokenLocations", E.JsonArray, this, o, "OAUTH_TOKEN_LOCATIONS"), y("sessionDataName", E.String, this, o, "OAUTH_SESSION_DATA_NAME"), this.userStorage = o.userStorage, this.sessionAdapter = o.sessionAdapter, o.protectedEndpoints) {
2432
2432
  const t = /^[!#\$%&'\(\)\*\+,\.\/a-zA-Z\[\]\^_`-]+/;
2433
2433
  for (const [e, s] of Object.entries(o.protectedEndpoints)) {
2434
2434
  if (!e.startsWith("/"))
2435
2435
  throw new c(h.Configuration, "protected endpoints must be absolute paths without the protocol and hostname");
2436
- s.scope && s.scope.forEach((a) => {
2437
- if (!t.test(a)) throw new c(h.Configuration, "Illegal characters in scope " + a);
2436
+ s.scope && s.scope.forEach((i) => {
2437
+ if (!t.test(i)) throw new c(h.Configuration, "Illegal characters in scope " + i);
2438
2438
  });
2439
2439
  }
2440
2440
  this.protectedEndpoints = o.protectedEndpoints;
2441
2441
  }
2442
2442
  o.protectedEndpoints && (this.hook = async ({ event: t }) => {
2443
- var a, i;
2443
+ var i, a;
2444
2444
  const e = t.url.pathname;
2445
2445
  if (!(e in this.protectedEndpoints)) return;
2446
2446
  const s = await this.authorized(t);
@@ -2468,7 +2468,7 @@ class ge extends se {
2468
2468
  }
2469
2469
  }
2470
2470
  if (s) {
2471
- if (t.locals.accessTokenPayload = s.tokenPayload, t.locals.user = s.user, (a = s.tokenPayload) != null && a.scope)
2471
+ if (t.locals.accessTokenPayload = s.tokenPayload, t.locals.user = s.user, (i = s.tokenPayload) != null && i.scope)
2472
2472
  if (Array.isArray(s.tokenPayload.scope)) {
2473
2473
  let n = [];
2474
2474
  for (let l of s.tokenPayload.scope)
@@ -2480,7 +2480,7 @@ class ge extends se {
2480
2480
  if (!t.locals.scope || !t.locals.scope.includes(n) && this.protectedEndpoints[e].acceptSessionAuthorization != !0) {
2481
2481
  d.logger.warn(u({
2482
2482
  msg: "Access token does not have sufficient scope",
2483
- username: (i = t.locals.user) == null ? void 0 : i.username,
2483
+ username: (a = t.locals.user) == null ? void 0 : a.username,
2484
2484
  url: t.request.url
2485
2485
  })), t.locals.scope = void 0, t.locals.accessTokenPayload = void 0, t.locals.user = void 0, t.locals.authError = "access_denied", t.locals.authErrorDescription = "Access token does not have sufficient scope";
2486
2486
  const l = this.authenticateHeader(t);
@@ -2635,11 +2635,11 @@ const D = class D {
2635
2635
  apiKey: t,
2636
2636
  oAuthAuthServer: e,
2637
2637
  oAuthClient: s,
2638
- oAuthClients: a,
2639
- oAuthResServer: i,
2638
+ oAuthClients: i,
2639
+ oAuthResServer: a,
2640
2640
  options: n
2641
2641
  }) {
2642
- this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (f) => ({}), this.dummyActions = {}, this.dummyBff = async (f) => ({ status: 500, body: { error: "Unimplemented" } }), n || (n = {}), y("loginUrl", _.String, this, n, "LOGIN_URL", !1), n.isAdminFn && (D.isAdminFn = n.isAdminFn);
2642
+ this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (f) => ({}), this.dummyActions = {}, this.dummyBff = async (f) => ({ status: 500, body: { error: "Unimplemented" } }), n || (n = {}), y("loginUrl", E.String, this, n, "LOGIN_URL", !1), n.isAdminFn && (D.isAdminFn = n.isAdminFn);
2643
2643
  let l = {};
2644
2644
  if (n.authenticators && (l = n.authenticators), this.userStorage = n.userStorage, r) {
2645
2645
  if (!l)
@@ -2667,15 +2667,15 @@ const D = class D {
2667
2667
  { ...f, ...n, ...e.options }
2668
2668
  );
2669
2669
  }
2670
- if (s && a)
2670
+ if (s && i)
2671
2671
  throw new c(h.Configuration, "Cannot specify both oAuthClient and oAuthClients");
2672
2672
  if (s && (this.oAuthClient = new G(
2673
2673
  this,
2674
2674
  s.authServerBaseUrl,
2675
2675
  { ...n, ...s.options }
2676
- )), a) {
2676
+ )), i) {
2677
2677
  this.oAuthClients = [];
2678
- for (let f of a)
2678
+ for (let f of i)
2679
2679
  this.oAuthClients.push(
2680
2680
  new G(
2681
2681
  this,
@@ -2684,12 +2684,12 @@ const D = class D {
2684
2684
  )
2685
2685
  );
2686
2686
  }
2687
- i && (y("audience", _.String, this, n, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
2687
+ a && (y("audience", E.String, this, n, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
2688
2688
  [new te(this.audience, n)],
2689
- { sessionAdapter: this.sessionAdapter, ...i.options, ...n }
2689
+ { sessionAdapter: this.sessionAdapter, ...a.options, ...n }
2690
2690
  )), this.hooks = async ({ event: f, resolve: g }) => {
2691
- const m = await this.unresolvedHooks(f);
2692
- return await g(m);
2691
+ const w = await this.unresolvedHooks(f);
2692
+ return w instanceof Response ? w : await g(w);
2693
2693
  };
2694
2694
  }
2695
2695
  async unresolvedHooks(r) {
@@ -2797,12 +2797,12 @@ class we {
2797
2797
  const g = await this.sessionServer.getSessionData(t, "factor2change");
2798
2798
  g != null && g.username || this.isSessionUser(t) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), e = g == null ? void 0 : g.username;
2799
2799
  }
2800
- let s = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }], a = {}, i = t.url.searchParams.get("required"), n;
2801
- i && (i = i.toLowerCase(), n = i == "true" || i == "1", n == !0 && (a.required = !0));
2800
+ let s = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }], i = {}, a = t.url.searchParams.get("required"), n;
2801
+ a && (a = a.toLowerCase(), n = a == "true" || a == "1", n == !0 && (i.required = !0));
2802
2802
  let l = t.url.searchParams.get("next");
2803
- return l && (a.next = l), {
2803
+ return l && (i.next = l), {
2804
2804
  allowedFactor2: s,
2805
- ...a,
2805
+ ...i,
2806
2806
  username: e,
2807
2807
  ...this.baseEndpoint(t)
2808
2808
  };
@@ -2812,12 +2812,12 @@ class we {
2812
2812
  default: async (t) => await this.changePassword(t)
2813
2813
  },
2814
2814
  load: async (t) => {
2815
- let e = {}, s = t.url.searchParams.get("required"), a, i = t.locals.user != null;
2816
- if (!i) {
2815
+ let e = {}, s = t.url.searchParams.get("required"), i, a = t.locals.user != null;
2816
+ if (!a) {
2817
2817
  const l = await this.sessionServer.getSessionData(t, "passwordchange");
2818
- l != null && l.username && (i = !0);
2818
+ l != null && l.username && (a = !0);
2819
2819
  }
2820
- i || this.sessionServer.redirect(302, this.loginUrl), s && (s = s.toLowerCase(), a = s == "true" || s == "1", a == !0 && (e.required = !0));
2820
+ a || this.sessionServer.redirect(302, this.loginUrl), s && (s = s.toLowerCase(), i = s == "true" || s == "1", i == !0 && (e.required = !0));
2821
2821
  let n = t.url.searchParams.get("next");
2822
2822
  return n && (e.next = n), {
2823
2823
  ...e,
@@ -2843,8 +2843,8 @@ class we {
2843
2843
  default: async (t) => await this.requestPasswordReset(t)
2844
2844
  },
2845
2845
  load: async (t) => {
2846
- let e = {}, s = t.url.searchParams.get("required"), a;
2847
- return s && (s = s.toLowerCase(), a = s == "true" || s == "1", a == !0 && (e.required = !0)), {
2846
+ let e = {}, s = t.url.searchParams.get("required"), i;
2847
+ return s && (s = s.toLowerCase(), i = s == "true" || s == "1", i == !0 && (e.required = !0)), {
2848
2848
  ...e,
2849
2849
  ...this.baseEndpoint(t)
2850
2850
  };
@@ -2864,14 +2864,14 @@ class we {
2864
2864
  try {
2865
2865
  return e = await this.resetPassword(t), e;
2866
2866
  } catch (s) {
2867
- const a = c.asCrossauthError(s);
2867
+ const i = c.asCrossauthError(s);
2868
2868
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
2869
- return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
2869
+ return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
2870
2870
  ok: !1,
2871
2871
  tokenValidated: !1,
2872
2872
  error: e == null ? void 0 : e.error,
2873
- errorCode: a.code,
2874
- errorCodeName: a.codeName,
2873
+ errorCode: i.code,
2874
+ errorCodeName: i.codeName,
2875
2875
  ...this.baseEndpoint(t)
2876
2876
  };
2877
2877
  }
@@ -2919,7 +2919,7 @@ class we {
2919
2919
  ...e
2920
2920
  };
2921
2921
  }
2922
- }, this.sessionServer = r, y("changePasswordUrl", _.String, this, o, "CHANGE_PASSWORD_URL"), y("requestPasswordResetUrl", _.String, this, o, "REQUEST_PASSWORD_RESET_URL"), y("changeFactor2Url", _.String, this, o, "CHANGE_FACTOR2_URL"), y("loginRedirectUrl", _.JsonArray, this, o, "LOGIN_REDIRECT_URL"), y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.addToSession && (this.addToSession = o.addToSession);
2922
+ }, this.sessionServer = r, y("changePasswordUrl", E.String, this, o, "CHANGE_PASSWORD_URL"), y("requestPasswordResetUrl", E.String, this, o, "REQUEST_PASSWORD_RESET_URL"), y("changeFactor2Url", E.String, this, o, "CHANGE_FACTOR2_URL"), y("loginRedirectUrl", E.JsonArray, this, o, "LOGIN_REDIRECT_URL"), y("loginUrl", E.JsonArray, this, o, "LOGIN_URL"), o.addToSession && (this.addToSession = o.addToSession);
2923
2923
  }
2924
2924
  /** Returns whether there is a user logged in with a cookie-based session
2925
2925
  */
@@ -2971,43 +2971,43 @@ class we {
2971
2971
  try {
2972
2972
  var t = new b();
2973
2973
  await t.loadData(r), o = t.toObject();
2974
- const e = t.get("username") ?? "", s = t.getAsBoolean("persist") ?? !1, a = o.next ?? this.loginRedirectUrl;
2974
+ const e = t.get("username") ?? "", s = t.getAsBoolean("persist") ?? !1, i = o.next ?? this.loginRedirectUrl;
2975
2975
  if (e == "") throw new c(h.InvalidUsername, "Username field may not be empty");
2976
- let i = this.addToSession ? this.addToSession(r, o) : {};
2976
+ let a = this.addToSession ? this.addToSession(r, o) : {};
2977
2977
  if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken) throw new c(h.InvalidCsrf);
2978
2978
  const n = this.sessionServer.getSessionCookieValue(r);
2979
- let { sessionCookie: l, csrfCookie: f, user: g } = await this.sessionServer.sessionManager.login(e, t.toObject(), i, s);
2979
+ let { sessionCookie: l, csrfCookie: f, user: g } = await this.sessionServer.sessionManager.login(e, t.toObject(), a, s);
2980
2980
  if (d.logger.debug(u({
2981
2981
  msg: "Login: set session cookie " + l.name + " opts " + JSON.stringify(l.options),
2982
2982
  user: e
2983
2983
  })), r.cookies.set(
2984
2984
  l.name,
2985
2985
  l.value,
2986
- R(l.options)
2986
+ P(l.options)
2987
2987
  ), d.logger.debug(u({
2988
2988
  msg: "Login: set csrf cookie " + f.name + " opts " + JSON.stringify(l.options),
2989
2989
  user: e
2990
2990
  })), this.sessionServer.enableCsrfProtection && (r.cookies.set(
2991
2991
  f.name,
2992
2992
  f.value,
2993
- R(f.options)
2993
+ P(f.options)
2994
2994
  ), r.locals.csrfToken = await this.sessionServer.sessionManager.createCsrfFormOrHeaderValue(f.value)), n)
2995
2995
  try {
2996
2996
  await this.sessionServer.sessionManager.deleteSession(n);
2997
- } catch (m) {
2997
+ } catch (w) {
2998
2998
  d.logger.warn(u({
2999
2999
  msg: "Couldn't delete session ID from database",
3000
3000
  hashOfSessionId: this.sessionServer.getHashOfSessionId(r)
3001
- })), d.logger.debug(u({ err: m }));
3001
+ })), d.logger.debug(u({ err: w }));
3002
3002
  }
3003
- if (g.state == I.passwordChangeNeeded)
3004
- this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" + a));
3003
+ if (g.state == N.passwordChangeNeeded)
3004
+ this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" + i));
3005
3005
  else {
3006
- if (g.state == I.passwordResetNeeded)
3006
+ if (g.state == N.passwordResetNeeded)
3007
3007
  throw new c(h.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
3008
- if (g.state == I.passwordAndFactor2ResetNeeded)
3008
+ if (g.state == N.passwordAndFactor2ResetNeeded)
3009
3009
  throw new c(h.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
3010
- this.sessionServer.allowedFactor2.length > 0 && g.state == I.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" + a)) : (!g.factor2 || g.factor2 == "") && (r.locals.user = g);
3010
+ this.sessionServer.allowedFactor2.length > 0 && g.state == N.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" + i)) : (!g.factor2 || g.factor2 == "") && (r.locals.user = g);
3011
3011
  }
3012
3012
  return {
3013
3013
  user: g,
@@ -3033,22 +3033,22 @@ class we {
3033
3033
  async loginWithUser(r, o, t) {
3034
3034
  const e = t.locals.sessionId, s = new b();
3035
3035
  await s.loadData(t);
3036
- let a = this.addToSession ? this.addToSession(t, s.toObject()) : {}, { sessionCookie: i, csrfCookie: n, csrfFormOrHeaderValue: l } = await this.sessionServer.sessionManager.login("", {}, a, void 0, r, o);
3036
+ let i = this.addToSession ? this.addToSession(t, s.toObject()) : {}, { sessionCookie: a, csrfCookie: n, csrfFormOrHeaderValue: l } = await this.sessionServer.sessionManager.login("", {}, i, void 0, r, o);
3037
3037
  if (d.logger.debug(u({
3038
- msg: "Login: set session cookie " + i.name + " opts " + JSON.stringify(i.options),
3038
+ msg: "Login: set session cookie " + a.name + " opts " + JSON.stringify(a.options),
3039
3039
  user: r.username
3040
3040
  })), t.cookies.set(
3041
- i.name,
3042
- i.value,
3043
- R(i.options)
3041
+ a.name,
3042
+ a.value,
3043
+ P(a.options)
3044
3044
  ), d.logger.debug(u({
3045
- msg: "Login: set csrf cookie " + n.name + " opts " + JSON.stringify(i.options),
3045
+ msg: "Login: set csrf cookie " + n.name + " opts " + JSON.stringify(a.options),
3046
3046
  user: r.username
3047
3047
  })), this.sessionServer.enableCsrfProtection && t.cookies.set(
3048
3048
  n.name,
3049
3049
  n.value,
3050
- R(n.options)
3051
- ), t.locals.user = r, t.locals.csrfToken = l, t.locals.sessionId = this.sessionServer.sessionManager.getSessionId(i.value), e)
3050
+ P(n.options)
3051
+ ), t.locals.user = r, t.locals.csrfToken = l, t.locals.sessionId = this.sessionServer.sessionManager.getSessionId(a.value), e)
3052
3052
  try {
3053
3053
  await this.sessionServer.sessionManager.deleteSession(e);
3054
3054
  } catch (f) {
@@ -3166,24 +3166,24 @@ class we {
3166
3166
  "Illegal second factor " + o.factor2 + " requested"
3167
3167
  );
3168
3168
  (o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), s = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields);
3169
- let a = this.sessionServer.authenticators[s.factor1].validateSecrets(o);
3170
- const i = this.sessionServer.authenticators[s.factor1].secretNames();
3169
+ let i = this.sessionServer.authenticators[s.factor1].validateSecrets(o);
3170
+ const a = this.sessionServer.authenticators[s.factor1].secretNames();
3171
3171
  let n = {};
3172
- for (let m in o)
3173
- if (m.startsWith("repeat_")) {
3174
- const w = m.replace(/^repeat_/, "");
3175
- i.includes(w) && (n[w] = o[m]);
3172
+ for (let w in o)
3173
+ if (w.startsWith("repeat_")) {
3174
+ const m = w.replace(/^repeat_/, "");
3175
+ a.includes(m) && (n[m] = o[w]);
3176
3176
  }
3177
3177
  Object.keys(n).length === 0 && (n = void 0), s.state = "active", o.factor2 && o.factor2 != "none" ? s.state = "awaitingtwofactor" : this.sessionServer.enableEmailVerification && (s.state = "awaitingemailverification");
3178
- let f = [...this.sessionServer.validateUserFn(s), ...a];
3178
+ let f = [...this.sessionServer.validateUserFn(s), ...i];
3179
3179
  if (f.length > 0)
3180
3180
  throw new c(h.FormEntry, f);
3181
3181
  let g = !1;
3182
3182
  try {
3183
- const { user: m, secrets: w } = await this.sessionServer.userStorage.getUserByUsername(e);
3184
- await this.sessionServer.sessionManager.authenticators[s.factor1].authenticateUser(m, w, o);
3185
- } catch (m) {
3186
- c.asCrossauthError(m).code == h.TwoFactorIncomplete && (g = !0);
3183
+ const { user: w, secrets: m } = await this.sessionServer.userStorage.getUserByUsername(e);
3184
+ await this.sessionServer.sessionManager.authenticators[s.factor1].authenticateUser(w, m, o);
3185
+ } catch (w) {
3186
+ c.asCrossauthError(w).code == h.TwoFactorIncomplete && (g = !0);
3187
3187
  }
3188
3188
  if (!o.factor2 && !g)
3189
3189
  return await this.sessionServer.sessionManager.createUser(
@@ -3192,13 +3192,13 @@ class we {
3192
3192
  n
3193
3193
  ), this.sessionServer.enableEmailVerification ? { emailVerificationRequired: !0, user: s, ok: !0, formData: o } : { ...await this.login(r), formData: o };
3194
3194
  {
3195
- let m;
3195
+ let w;
3196
3196
  if (g) {
3197
3197
  if (!r.locals.sessionId) throw new c(h.Unauthorized);
3198
- m = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId)).userData;
3198
+ w = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId)).userData;
3199
3199
  } else {
3200
- const w = await this.sessionServer.createAnonymousSession(r), S = this.sessionServer.sessionManager.getSessionId(w);
3201
- m = (await this.sessionServer.sessionManager.initiateTwoFactorSignup(
3200
+ const m = await this.sessionServer.createAnonymousSession(r), S = this.sessionServer.sessionManager.getSessionId(m);
3201
+ w = (await this.sessionServer.sessionManager.initiateTwoFactorSignup(
3202
3202
  s,
3203
3203
  o,
3204
3204
  S,
@@ -3206,14 +3206,14 @@ class we {
3206
3206
  )).userData;
3207
3207
  }
3208
3208
  try {
3209
- let w = {
3210
- userData: m,
3209
+ let m = {
3210
+ userData: w,
3211
3211
  username: e,
3212
3212
  factor2: o.factor2 ?? "none"
3213
3213
  };
3214
- return this.sessionServer.enableCsrfProtection && (w.csrfToken = r.locals.csrfToken), { factor2Data: w, ok: !0, factor2Required: !0, formData: o };
3215
- } catch (w) {
3216
- d.logger.error(u({ err: w }));
3214
+ return this.sessionServer.enableCsrfProtection && (m.csrfToken = r.locals.csrfToken), { factor2Data: m, ok: !0, factor2Required: !0, formData: o };
3215
+ } catch (m) {
3216
+ d.logger.error(u({ err: m }));
3217
3217
  try {
3218
3218
  this.sessionServer.sessionManager.deleteUserByUsername(e);
3219
3219
  } catch (S) {
@@ -3309,8 +3309,8 @@ class we {
3309
3309
  try {
3310
3310
  var s = new b();
3311
3311
  await s.loadData(r), o = s.toObject();
3312
- const a = await this.sessionServer.getSessionData(r, "2fa");
3313
- if (a != null && a.factor2) e = a == null ? void 0 : a.factor2;
3312
+ const i = await this.sessionServer.getSessionData(r, "2fa");
3313
+ if (i != null && i.factor2) e = i == null ? void 0 : i.factor2;
3314
3314
  else throw new c(h.BadRequest, "Two factor authentication was not started");
3315
3315
  if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
3316
3316
  throw new c(h.InvalidCsrf);
@@ -3318,17 +3318,17 @@ class we {
3318
3318
  h.Unauthorized,
3319
3319
  "No session active while enabling 2FA. Please enable cookies"
3320
3320
  );
3321
- let i = await this.sessionServer.sessionManager.completeTwoFactorSetup(
3321
+ let a = await this.sessionServer.sessionManager.completeTwoFactorSetup(
3322
3322
  o,
3323
3323
  r.locals.sessionId
3324
3324
  );
3325
- return this.sessionServer.enableEmailVerification || await this.loginWithUser(i, !0, r), r.locals.user ? {
3325
+ return this.sessionServer.enableEmailVerification || await this.loginWithUser(a, !0, r), r.locals.user ? {
3326
3326
  ok: !0,
3327
- user: i,
3327
+ user: a,
3328
3328
  emailVerificationRequired: this.sessionServer.enableEmailVerification
3329
- } : await this.loginWithUser(i, !0, r);
3330
- } catch (a) {
3331
- const i = c.asCrossauthError(a);
3329
+ } : await this.loginWithUser(a, !0, r);
3330
+ } catch (i) {
3331
+ const a = c.asCrossauthError(i);
3332
3332
  let n;
3333
3333
  try {
3334
3334
  n = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId ?? "")).userData;
@@ -3339,11 +3339,11 @@ class we {
3339
3339
  csrfToken: r.locals.csrfToken,
3340
3340
  username: n.username ?? "",
3341
3341
  factor2: e
3342
- }), d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
3342
+ }), d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
3343
3343
  ok: !1,
3344
- error: i.message,
3345
- errorCode: i.code,
3346
- errorCodeName: i.codeName,
3344
+ error: a.message,
3345
+ errorCode: a.code,
3346
+ errorCodeName: a.codeName,
3347
3347
  formData: o,
3348
3348
  factor2Data: t,
3349
3349
  emailVerificationRequired: this.sessionServer.enableEmailVerification
@@ -3379,27 +3379,27 @@ class we {
3379
3379
  if (!s) throw new c(h.Unauthorized);
3380
3380
  if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
3381
3381
  throw new c(h.InvalidCsrf);
3382
- let a = this.addToSession ? this.addToSession(r, o) : {};
3383
- const { sessionCookie: i, csrfCookie: n, user: l } = await this.sessionServer.sessionManager.completeTwoFactorLogin(
3382
+ let i = this.addToSession ? this.addToSession(r, o) : {};
3383
+ const { sessionCookie: a, csrfCookie: n, user: l } = await this.sessionServer.sessionManager.completeTwoFactorLogin(
3384
3384
  o,
3385
3385
  s,
3386
- a,
3386
+ i,
3387
3387
  e
3388
3388
  );
3389
3389
  return d.logger.debug(u({
3390
- msg: "Login: set session cookie " + i.name + " opts " + JSON.stringify(i.options),
3390
+ msg: "Login: set session cookie " + a.name + " opts " + JSON.stringify(a.options),
3391
3391
  user: l == null ? void 0 : l.username
3392
3392
  })), r.cookies.set(
3393
- i.name,
3394
- i.value,
3395
- R(i.options)
3393
+ a.name,
3394
+ a.value,
3395
+ P(a.options)
3396
3396
  ), d.logger.debug(u({
3397
- msg: "Login: set csrf cookie " + n.name + " opts " + JSON.stringify(i.options),
3397
+ msg: "Login: set csrf cookie " + n.name + " opts " + JSON.stringify(a.options),
3398
3398
  user: l == null ? void 0 : l.username
3399
3399
  })), r.cookies.set(
3400
3400
  n.name,
3401
3401
  n.value,
3402
- R(n.options)
3402
+ P(n.options)
3403
3403
  ), this.sessionServer.enableCsrfProtection && (r.locals.csrfToken = await this.sessionServer.sessionManager.createCsrfFormOrHeaderValue(n.value)), r.locals.user = l, {
3404
3404
  user: l,
3405
3405
  ok: !0
@@ -3512,24 +3512,24 @@ class we {
3512
3512
  );
3513
3513
  const e = r.params.token ?? "";
3514
3514
  if (e == "") throw new c(h.InvalidUsername, "No token provided");
3515
- const s = await this.sessionServer.sessionManager.userForPasswordResetToken(e), a = this.sessionServer.authenticators[s.factor1], i = a.secretNames();
3515
+ const s = await this.sessionServer.sessionManager.userForPasswordResetToken(e), i = this.sessionServer.authenticators[s.factor1], a = i.secretNames();
3516
3516
  let n = {}, l = {};
3517
- for (let m in o)
3518
- if (m.startsWith("new_")) {
3519
- const w = m.replace(/^new_/, "");
3520
- i.includes(w) && (n[w] = o[m]);
3521
- } else if (m.startsWith("repeat_")) {
3522
- const w = m.replace(/^repeat_/, "");
3523
- i.includes(w) && (l[w] = o[m]);
3517
+ for (let w in o)
3518
+ if (w.startsWith("new_")) {
3519
+ const m = w.replace(/^new_/, "");
3520
+ a.includes(m) && (n[m] = o[w]);
3521
+ } else if (w.startsWith("repeat_")) {
3522
+ const m = w.replace(/^repeat_/, "");
3523
+ a.includes(m) && (l[m] = o[w]);
3524
3524
  }
3525
- if (Object.keys(l).length === 0 && (l = void 0), a.validateSecrets(n).length > 0)
3525
+ if (Object.keys(l).length === 0 && (l = void 0), i.validateSecrets(n).length > 0)
3526
3526
  throw new c(h.PasswordFormat);
3527
3527
  const g = await this.sessionServer.sessionManager.resetSecret(e, 1, n, l);
3528
- if (g.state == I.active)
3528
+ if (g.state == N.active)
3529
3529
  return await this.loginWithUser(g, !0, r);
3530
3530
  {
3531
- const m = this.sessionServer.getSessionCookieValue(r), w = this.sessionServer.sessionManager.getSessionId(m ?? "");
3532
- throw await this.sessionServer.sessionManager.updateSessionData(w, "factor2change", { username: s.username }), this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true");
3531
+ const w = this.sessionServer.getSessionCookieValue(r), m = this.sessionServer.sessionManager.getSessionId(w ?? "");
3532
+ throw await this.sessionServer.sessionManager.updateSessionData(m, "factor2change", { username: s.username }), this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true");
3533
3533
  }
3534
3534
  } catch (e) {
3535
3535
  if (p.isSvelteKitRedirect(e)) throw e;
@@ -3619,10 +3619,10 @@ class we {
3619
3619
  await t.loadData(r), o = t.toObject();
3620
3620
  let e, s = !1;
3621
3621
  if (!this.isSessionUser(r) || !r.locals.user) {
3622
- const w = await this.sessionServer.getSessionData(r, "passwordchange");
3623
- if (w != null && w.username) {
3622
+ const m = await this.sessionServer.getSessionData(r, "passwordchange");
3623
+ if (m != null && m.username) {
3624
3624
  if (e = (await this.sessionServer.userStorage.getUserByUsername(
3625
- w == null ? void 0 : w.username,
3625
+ m == null ? void 0 : m.username,
3626
3626
  {
3627
3627
  skipActiveCheck: !0,
3628
3628
  skipEmailVerifiedCheck: !0
@@ -3637,22 +3637,22 @@ class we {
3637
3637
  e = r.locals.user;
3638
3638
  } else
3639
3639
  throw new c(h.InsufficientPriviledges);
3640
- const a = this.sessionServer.authenticators[e.factor1], i = a.secretNames();
3640
+ const i = this.sessionServer.authenticators[e.factor1], a = i.secretNames();
3641
3641
  let n = {}, l = {}, f = {};
3642
- for (let w in o)
3643
- if (w.startsWith("new_")) {
3644
- const S = w.replace(/^new_/, "");
3645
- i.includes(S) && (l[S] = o[w]);
3646
- } else if (w.startsWith("old_")) {
3647
- const S = w.replace(/^old_/, "");
3648
- i.includes(S) && (n[S] = o[w]);
3649
- } else if (w.startsWith("repeat_")) {
3650
- const S = w.replace(/^repeat_/, "");
3651
- i.includes(S) && (f[S] = o[w]);
3642
+ for (let m in o)
3643
+ if (m.startsWith("new_")) {
3644
+ const S = m.replace(/^new_/, "");
3645
+ a.includes(S) && (l[S] = o[m]);
3646
+ } else if (m.startsWith("old_")) {
3647
+ const S = m.replace(/^old_/, "");
3648
+ a.includes(S) && (n[S] = o[m]);
3649
+ } else if (m.startsWith("repeat_")) {
3650
+ const S = m.replace(/^repeat_/, "");
3651
+ a.includes(S) && (f[S] = o[m]);
3652
3652
  }
3653
- if (Object.keys(f).length === 0 && (f = void 0), a.validateSecrets(l).length > 0)
3653
+ if (Object.keys(f).length === 0 && (f = void 0), i.validateSecrets(l).length > 0)
3654
3654
  throw new c(h.PasswordFormat);
3655
- const m = e.state;
3655
+ const w = e.state;
3656
3656
  try {
3657
3657
  s && (e.state = "active", await this.sessionServer.userStorage.updateUser({ id: e.id, state: e.state })), await this.sessionServer.sessionManager.changeSecrets(
3658
3658
  e.username,
@@ -3661,11 +3661,11 @@ class we {
3661
3661
  f,
3662
3662
  n
3663
3663
  );
3664
- } catch (w) {
3665
- const S = c.asCrossauthError(w);
3666
- if (d.logger.debug(u({ err: w })), s)
3664
+ } catch (m) {
3665
+ const S = c.asCrossauthError(m);
3666
+ if (d.logger.debug(u({ err: m })), s)
3667
3667
  try {
3668
- await this.sessionServer.userStorage.updateUser({ id: e.id, state: m });
3668
+ await this.sessionServer.userStorage.updateUser({ id: e.id, state: w });
3669
3669
  } catch (C) {
3670
3670
  d.logger.debug(u({ err: C }));
3671
3671
  }
@@ -3768,15 +3768,15 @@ class we {
3768
3768
  let s = this.sessionServer.validateUserFn(e);
3769
3769
  if (s.length > 0)
3770
3770
  throw new c(h.FormEntry, s);
3771
- let { emailVerificationTokenSent: a } = await this.sessionServer.sessionManager.updateUser(r.locals.user, e);
3772
- if (!a) {
3773
- const i = await this.sessionServer.userStorage.getUserById(r.locals.user.id);
3774
- r.locals.user = i.user;
3771
+ let { emailVerificationTokenSent: i } = await this.sessionServer.sessionManager.updateUser(r.locals.user, e);
3772
+ if (!i) {
3773
+ const a = await this.sessionServer.userStorage.getUserById(r.locals.user.id);
3774
+ r.locals.user = a.user;
3775
3775
  }
3776
3776
  return {
3777
3777
  ok: !0,
3778
3778
  formData: o,
3779
- emailVerificationNeeded: a
3779
+ emailVerificationNeeded: i
3780
3780
  };
3781
3781
  } catch (e) {
3782
3782
  let s = c.asCrossauthError(e, "Couldn't update account");
@@ -3824,32 +3824,32 @@ class we {
3824
3824
  const l = await this.sessionServer.getSessionData(r, "factor2change");
3825
3825
  l != null && l.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), s = l == null ? void 0 : l.username;
3826
3826
  }
3827
- let a = r.locals.user;
3828
- if (!a && s && (a = (await this.sessionServer.userStorage.getUserByUsername(
3827
+ let i = r.locals.user;
3828
+ if (!i && s && (i = (await this.sessionServer.userStorage.getUserByUsername(
3829
3829
  s,
3830
3830
  {
3831
3831
  skipActiveCheck: !0,
3832
3832
  skipEmailVerifiedCheck: !0
3833
3833
  }
3834
- )).user), !a)
3834
+ )).user), !i)
3835
3835
  throw new c(h.InsufficientPriviledges);
3836
3836
  if (!r.locals.sessionId)
3837
3837
  throw new c(h.Unauthorized);
3838
- let i = o.factor2;
3838
+ let a = o.factor2;
3839
3839
  if (o.factor2 && !this.sessionServer.allowedFactor2Names.includes(o.factor2))
3840
3840
  throw new c(
3841
3841
  h.Forbidden,
3842
3842
  "Illegal second factor " + o.factor2 + " requested"
3843
3843
  );
3844
- if ((o.factor2 == "none" || o.factor2 == "") && (i = void 0, !r.locals.user))
3845
- return await this.loginWithUser(a, !0, r);
3846
- const n = await this.sessionServer.sessionManager.initiateTwoFactorSetup(a, i, r.locals.sessionId);
3847
- return i ? {
3844
+ if ((o.factor2 == "none" || o.factor2 == "") && (a = void 0, !r.locals.user))
3845
+ return await this.loginWithUser(i, !0, r);
3846
+ const n = await this.sessionServer.sessionManager.initiateTwoFactorSetup(i, a, r.locals.sessionId);
3847
+ return a ? {
3848
3848
  ok: !0,
3849
3849
  formData: o,
3850
3850
  factor2Data: {
3851
- username: a.username,
3852
- factor2: i ?? "",
3851
+ username: i.username,
3852
+ factor2: a ?? "",
3853
3853
  userData: n,
3854
3854
  csrfToken: r.locals.csrfToken
3855
3855
  }
@@ -3858,11 +3858,11 @@ class we {
3858
3858
  formData: o
3859
3859
  };
3860
3860
  } catch (s) {
3861
- let a = c.asCrossauthError(s, "Couldn't update account");
3862
- return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
3863
- error: a.message,
3864
- errorCode: a.code,
3865
- errorCodeName: a.codeName,
3861
+ let i = c.asCrossauthError(s, "Couldn't update account");
3862
+ return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
3863
+ error: i.message,
3864
+ errorCode: i.code,
3865
+ errorCodeName: i.codeName,
3866
3866
  ok: !1,
3867
3867
  formData: o
3868
3868
  };
@@ -3900,47 +3900,47 @@ class we {
3900
3900
  const f = await this.sessionServer.getSessionData(r, "factor2change");
3901
3901
  f != null && f.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), s = f == null ? void 0 : f.username;
3902
3902
  }
3903
- let a = r.locals.user;
3904
- if (!a && s && (a = (await this.sessionServer.userStorage.getUserByUsername(
3903
+ let i = r.locals.user;
3904
+ if (!i && s && (i = (await this.sessionServer.userStorage.getUserByUsername(
3905
3905
  s,
3906
3906
  {
3907
3907
  skipActiveCheck: !0,
3908
3908
  skipEmailVerifiedCheck: !0
3909
3909
  }
3910
- )).user), !a)
3910
+ )).user), !i)
3911
3911
  throw new c(h.InsufficientPriviledges);
3912
3912
  if (!r.locals.sessionId)
3913
3913
  throw new c(h.Unauthorized);
3914
3914
  if (!r.locals.sessionId)
3915
3915
  throw new c(h.Unauthorized);
3916
- let i = a.factor2;
3917
- const n = this.sessionServer.authenticators[i];
3916
+ let a = i.factor2;
3917
+ const n = this.sessionServer.authenticators[a];
3918
3918
  if (!n || n.secretNames().length == 0)
3919
3919
  throw new c(
3920
3920
  h.BadRequest,
3921
3921
  "Selected second factor does not have configuration"
3922
3922
  );
3923
3923
  const l = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
3924
- a,
3925
3924
  i,
3925
+ a,
3926
3926
  r.locals.sessionId
3927
3927
  );
3928
3928
  return {
3929
3929
  ok: !0,
3930
3930
  formData: o,
3931
3931
  factor2Data: {
3932
- username: a.username,
3933
- factor2: a.factor2 ?? "",
3932
+ username: i.username,
3933
+ factor2: i.factor2 ?? "",
3934
3934
  userData: l,
3935
3935
  csrfToken: r.locals.csrfToken
3936
3936
  }
3937
3937
  };
3938
3938
  } catch (s) {
3939
- let a = c.asCrossauthError(s, "Couldn't update account");
3940
- return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
3941
- error: a.message,
3942
- errorCode: a.code,
3943
- errorCodeName: a.codeName,
3939
+ let i = c.asCrossauthError(s, "Couldn't update account");
3940
+ return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
3941
+ error: i.message,
3942
+ errorCode: i.code,
3943
+ errorCodeName: i.codeName,
3944
3944
  ok: !1,
3945
3945
  formData: o
3946
3946
  };
@@ -3962,16 +3962,16 @@ async function me(k, r, o = 0, t = 10) {
3962
3962
  const { user: s } = await r.getUserByUsername(k);
3963
3963
  e.push(s);
3964
3964
  } catch (s) {
3965
- const a = c.asCrossauthError(s);
3966
- if (a.code != h.UserNotExist)
3967
- throw d.logger.debug(u({ err: a })), a;
3965
+ const i = c.asCrossauthError(s);
3966
+ if (i.code != h.UserNotExist)
3967
+ throw d.logger.debug(u({ err: i })), i;
3968
3968
  try {
3969
- const { user: i } = await r.getUserByEmail(k);
3970
- e.push(i);
3971
- } catch (i) {
3972
- const n = c.asCrossauthError(i);
3969
+ const { user: a } = await r.getUserByEmail(k);
3970
+ e.push(a);
3971
+ } catch (a) {
3972
+ const n = c.asCrossauthError(a);
3973
3973
  if (n.code != h.UserNotExist)
3974
- throw d.logger.debug(u({ err: n })), a;
3974
+ throw d.logger.debug(u({ err: n })), i;
3975
3975
  }
3976
3976
  }
3977
3977
  return e;
@@ -3990,12 +3990,12 @@ class ke {
3990
3990
  }, this.updateUserEndpoint = {
3991
3991
  actions: {
3992
3992
  default: async (t) => {
3993
- var a, i, n;
3993
+ var i, a, n;
3994
3994
  const e = await this.getUserFromParam(t);
3995
3995
  return e.exception || !e.user ? {
3996
3996
  ok: !1,
3997
- error: ((a = e.exception) == null ? void 0 : a.message) ?? "Couldn't get user",
3998
- errorCode: (i = e.exception) == null ? void 0 : i.code,
3997
+ error: ((i = e.exception) == null ? void 0 : i.message) ?? "Couldn't get user",
3998
+ errorCode: (a = e.exception) == null ? void 0 : a.code,
3999
3999
  errorCodeName: (n = e.exception) == null ? void 0 : n.codeName
4000
4000
  } : await this.updateUser(e.user, t);
4001
4001
  }
@@ -4017,12 +4017,12 @@ class ke {
4017
4017
  }, this.changePasswordEndpoint = {
4018
4018
  actions: {
4019
4019
  default: async (t) => {
4020
- var a, i, n;
4020
+ var i, a, n;
4021
4021
  const e = await this.getUserFromParam(t);
4022
4022
  return e.exception || !e.user ? {
4023
4023
  ok: !1,
4024
- error: ((a = e.exception) == null ? void 0 : a.message) ?? "Couldn't get user",
4025
- errorCode: (i = e.exception) == null ? void 0 : i.code,
4024
+ error: ((i = e.exception) == null ? void 0 : i.message) ?? "Couldn't get user",
4025
+ errorCode: (a = e.exception) == null ? void 0 : a.code,
4026
4026
  errorCodeName: (n = e.exception) == null ? void 0 : n.codeName
4027
4027
  } : await this.changePassword(e.user, t);
4028
4028
  }
@@ -4035,8 +4035,8 @@ class ke {
4035
4035
  editUser: e.user,
4036
4036
  ...this.baseEndpoint(t)
4037
4037
  };
4038
- let s = {}, a = t.url.searchParams.get("next");
4039
- return a && (s.next = a), {
4038
+ let s = {}, i = t.url.searchParams.get("next");
4039
+ return i && (s.next = i), {
4040
4040
  ...s,
4041
4041
  editUser: e.user,
4042
4042
  ...this.baseEndpoint(t)
@@ -4058,15 +4058,15 @@ class ke {
4058
4058
  default: async (t) => await this.deleteUser(t)
4059
4059
  },
4060
4060
  load: async (t) => {
4061
- var s, a, i;
4061
+ var s, i, a;
4062
4062
  const e = await this.getUserFromParam(t);
4063
4063
  return e.exception || !e.user ? {
4064
4064
  error: "User doesn't exist",
4065
4065
  errorCode: (s = e.exception) == null ? void 0 : s.code,
4066
- errorCodeName: (a = e.exception) == null ? void 0 : a.codeName,
4066
+ errorCodeName: (i = e.exception) == null ? void 0 : i.codeName,
4067
4067
  ...this.baseEndpoint(t)
4068
4068
  } : {
4069
- username: (i = e.user) == null ? void 0 : i.username,
4069
+ username: (a = e.user) == null ? void 0 : a.username,
4070
4070
  ...this.baseEndpoint(t)
4071
4071
  };
4072
4072
  }
@@ -4117,7 +4117,7 @@ class ke {
4117
4117
  try {
4118
4118
  if (!this.sessionServer.userStorage) throw new c(h.Configuration, "Must provide user storage to use this function");
4119
4119
  (!r.locals.user || !p.isAdminFn(r.locals.user)) && this.sessionServer.error(401);
4120
- let s = [], a = [], i = [];
4120
+ let s = [], i = [], a = [];
4121
4121
  if (!t)
4122
4122
  try {
4123
4123
  const l = r.url.searchParams.get("skip");
@@ -4139,7 +4139,7 @@ class ke {
4139
4139
  this.sessionServer.userStorage,
4140
4140
  t,
4141
4141
  e
4142
- ), t > 0 && (a = await this.userSearchFn(
4142
+ ), t > 0 && (i = await this.userSearchFn(
4143
4143
  o,
4144
4144
  this.sessionServer.userStorage,
4145
4145
  t - 1,
@@ -4147,7 +4147,7 @@ class ke {
4147
4147
  ))) : (s = await this.sessionServer.userStorage.getUsers(
4148
4148
  t,
4149
4149
  e
4150
- ), s.length == e && (i = await this.sessionServer.userStorage.getUsers(
4150
+ ), s.length == e && (a = await this.sessionServer.userStorage.getUsers(
4151
4151
  t + e,
4152
4152
  1
4153
4153
  ))), {
@@ -4155,17 +4155,17 @@ class ke {
4155
4155
  users: s,
4156
4156
  skip: t,
4157
4157
  take: e,
4158
- hasPrevious: a.length > 0,
4159
- hasNext: i.length > 0,
4158
+ hasPrevious: i.length > 0,
4159
+ hasNext: a.length > 0,
4160
4160
  search: o
4161
4161
  };
4162
4162
  } catch (s) {
4163
- const a = c.asCrossauthError(s);
4164
- return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
4163
+ const i = c.asCrossauthError(s);
4164
+ return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
4165
4165
  ok: !1,
4166
- error: a.message,
4167
- errorCode: a.code,
4168
- errorCodeName: a.codeName,
4166
+ error: i.message,
4167
+ errorCode: i.code,
4168
+ errorCodeName: i.codeName,
4169
4169
  hasPrevious: !1,
4170
4170
  hasNext: !1,
4171
4171
  skip: t ?? 0,
@@ -4211,7 +4211,7 @@ class ke {
4211
4211
  if (!this.sessionServer.userStorage) throw new c(h.Configuration, "Must provide user storage to use this function");
4212
4212
  var e = new b();
4213
4213
  if (await e.loadData(o), t = e.toObject(), (!o.locals.user || !p.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken) throw new c(h.InvalidCsrf);
4214
- const s = r.factor2, a = r.state;
4214
+ const s = r.factor2, i = r.state;
4215
4215
  r.state = t.state ?? "active", r = this.sessionServer.updateUserFn(
4216
4216
  r,
4217
4217
  o,
@@ -4221,11 +4221,11 @@ class ke {
4221
4221
  ...this.sessionServer.userStorage.adminEditableFields
4222
4222
  }
4223
4223
  );
4224
- const i = r.factor2 && r.factor2 != "none" && r.factor2 != s;
4225
- if (i && !(r.state == a || r.state == "factor2ResetNeeded"))
4224
+ const a = r.factor2 && r.factor2 != "none" && r.factor2 != s;
4225
+ if (a && !(r.state == i || r.state == "factor2ResetNeeded"))
4226
4226
  throw new c(h.BadRequest, "Cannot change both factor2 and state at the same time");
4227
- i && (r.state = I.factor2ResetNeeded, d.logger.warn(u({
4228
- msg: `Setting state for user to ${I.factor2ResetNeeded}`,
4227
+ a && (r.state = N.factor2ResetNeeded, d.logger.warn(u({
4228
+ msg: `Setting state for user to ${N.factor2ResetNeeded}`,
4229
4229
  username: r.username
4230
4230
  })));
4231
4231
  let n = this.sessionServer.validateUserFn(r);
@@ -4240,11 +4240,11 @@ class ke {
4240
4240
  };
4241
4241
  } catch (s) {
4242
4242
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s, 401)) throw s;
4243
- let a = c.asCrossauthError(s, "Couldn't log in");
4244
- return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
4245
- error: a.message,
4246
- errorCode: a.code,
4247
- errorCodeName: a.codeName,
4243
+ let i = c.asCrossauthError(s, "Couldn't log in");
4244
+ return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
4245
+ error: i.message,
4246
+ errorCode: i.code,
4247
+ errorCodeName: i.codeName,
4248
4248
  ok: !1,
4249
4249
  formData: t
4250
4250
  };
@@ -4276,18 +4276,18 @@ class ke {
4276
4276
  var e = new b();
4277
4277
  if (await e.loadData(o), t = e.toObject(), (!o.locals.user || !p.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken)
4278
4278
  throw new c(h.InvalidCsrf);
4279
- const s = this.sessionServer.authenticators[r.factor1], a = s.secretNames();
4280
- let i = {}, n = {}, l = {};
4279
+ const s = this.sessionServer.authenticators[r.factor1], i = s.secretNames();
4280
+ let a = {}, n = {}, l = {};
4281
4281
  for (let g in t)
4282
4282
  if (g.startsWith("new_")) {
4283
- const m = g.replace(/^new_/, "");
4284
- a.includes(m) && (n[m] = t[g]);
4283
+ const w = g.replace(/^new_/, "");
4284
+ i.includes(w) && (n[w] = t[g]);
4285
4285
  } else if (g.startsWith("old_")) {
4286
- const m = g.replace(/^old_/, "");
4287
- a.includes(m) && (i[m] = t[g]);
4286
+ const w = g.replace(/^old_/, "");
4287
+ i.includes(w) && (a[w] = t[g]);
4288
4288
  } else if (g.startsWith("repeat_")) {
4289
- const m = g.replace(/^repeat_/, "");
4290
- a.includes(m) && (l[m] = t[g]);
4289
+ const w = g.replace(/^repeat_/, "");
4290
+ i.includes(w) && (l[w] = t[g]);
4291
4291
  }
4292
4292
  if (Object.keys(l).length === 0 && (l = void 0), s.validateSecrets(n).length > 0)
4293
4293
  throw new c(h.PasswordFormat);
@@ -4297,11 +4297,11 @@ class ke {
4297
4297
  1,
4298
4298
  n,
4299
4299
  l,
4300
- i
4300
+ a
4301
4301
  );
4302
4302
  } catch (g) {
4303
- const m = c.asCrossauthError(g);
4304
- throw d.logger.debug(u({ err: g })), m;
4303
+ const w = c.asCrossauthError(g);
4304
+ throw d.logger.debug(u({ err: g })), w;
4305
4305
  }
4306
4306
  return {
4307
4307
  ok: !0,
@@ -4309,11 +4309,11 @@ class ke {
4309
4309
  };
4310
4310
  } catch (s) {
4311
4311
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s, 401)) throw s;
4312
- let a = c.asCrossauthError(s, "Couldn't change password");
4313
- return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
4314
- error: a.message,
4315
- errorCode: a.code,
4316
- errorCodeName: a.codeName,
4312
+ let i = c.asCrossauthError(s, "Couldn't change password");
4313
+ return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
4314
+ error: i.message,
4315
+ errorCode: i.code,
4316
+ errorCodeName: i.codeName,
4317
4317
  ok: !1,
4318
4318
  formData: t
4319
4319
  };
@@ -4388,37 +4388,37 @@ class ke {
4388
4388
  ...this.sessionServer.userStorage.adminEditableFields
4389
4389
  }
4390
4390
  );
4391
- const a = this.sessionServer.authenticators[s.factor1].secretNames();
4392
- let i = !0;
4393
- for (let w of a)
4394
- !o[w] && !o["repeat_" + w] && (i = !1);
4391
+ const i = this.sessionServer.authenticators[s.factor1].secretNames();
4392
+ let a = !0;
4393
+ for (let m of i)
4394
+ !o[m] && !o["repeat_" + m] && (a = !1);
4395
4395
  let n = [], l = {};
4396
- if (i) {
4396
+ if (a) {
4397
4397
  n = this.sessionServer.authenticators[s.factor1].validateSecrets(o);
4398
- for (let w in o)
4399
- if (w.startsWith("repeat_")) {
4400
- const S = w.replace(/^repeat_/, "");
4401
- a.includes(S) && (l[S] = o[w]);
4398
+ for (let m in o)
4399
+ if (m.startsWith("repeat_")) {
4400
+ const S = m.replace(/^repeat_/, "");
4401
+ i.includes(S) && (l[S] = o[m]);
4402
4402
  }
4403
4403
  Object.keys(l).length === 0 && (l = void 0);
4404
4404
  }
4405
- i ? o.factor2 != null && (s.state = I.factor2ResetNeeded) : o.factor2 == null ? s.state = I.passwordResetNeeded : s.state = I.passwordAndFactor2ResetNeeded;
4405
+ a ? o.factor2 != null && (s.state = N.factor2ResetNeeded) : o.factor2 == null ? s.state = N.passwordResetNeeded : s.state = N.passwordAndFactor2ResetNeeded;
4406
4406
  let g = [...this.sessionServer.validateUserFn(s), ...n];
4407
4407
  if (g.length > 0)
4408
4408
  throw new c(h.FormEntry, g);
4409
- const m = await this.sessionServer.sessionManager.createUser(
4409
+ const w = await this.sessionServer.sessionManager.createUser(
4410
4410
  s,
4411
4411
  o,
4412
4412
  l,
4413
4413
  !0,
4414
- !i
4414
+ !a
4415
4415
  );
4416
- if (!i) {
4417
- let w = o.username;
4418
- if ("user_email" in o && (w = o.user_email), oe.validateEmail(w), !w) throw new c(h.FormEntry, "No password given but no email address found either");
4419
- await this.sessionServer.sessionManager.requestPasswordReset(w);
4416
+ if (!a) {
4417
+ let m = o.username;
4418
+ if ("user_email" in o && (m = o.user_email), oe.validateEmail(m), !m) throw new c(h.FormEntry, "No password given but no email address found either");
4419
+ await this.sessionServer.sessionManager.requestPasswordReset(m);
4420
4420
  }
4421
- return { ok: !0, user: m, formData: o };
4421
+ return { ok: !0, user: w, formData: o };
4422
4422
  } catch (e) {
4423
4423
  let s = c.asCrossauthError(e, "Couldn't create user");
4424
4424
  return d.logger.debug(u({ err: s })), d.logger.error(u({ cerr: s })), {
@@ -4487,23 +4487,23 @@ async function Se(k, r, o, t, e) {
4487
4487
  let s = [];
4488
4488
  if (o > 0) return [];
4489
4489
  try {
4490
- const a = await r.getClientById(k);
4491
- s.push(a);
4492
- } catch (a) {
4493
- const i = c.asCrossauthError(a);
4494
- if (i.code != h.UserNotExist)
4495
- throw d.logger.debug(u({ err: i })), i;
4490
+ const i = await r.getClientById(k);
4491
+ s.push(i);
4492
+ } catch (i) {
4493
+ const a = c.asCrossauthError(i);
4494
+ if (a.code != h.UserNotExist)
4495
+ throw d.logger.debug(u({ err: a })), a;
4496
4496
  try {
4497
4497
  s = await r.getClientByName(k, e);
4498
4498
  } catch (n) {
4499
4499
  const l = c.asCrossauthError(n);
4500
4500
  if (l.code != h.UserNotExist)
4501
- throw d.logger.debug(u({ err: l })), i;
4501
+ throw d.logger.debug(u({ err: l })), a;
4502
4502
  }
4503
4503
  }
4504
4504
  return s;
4505
4505
  }
4506
- class $ {
4506
+ class X {
4507
4507
  /**
4508
4508
  * Constructor
4509
4509
  *
@@ -4511,7 +4511,7 @@ class $ {
4511
4511
  * @param options See {@link SvelteKitSessionServerOptions}
4512
4512
  */
4513
4513
  constructor(r, o) {
4514
- this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = r, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect ?? Q, this.error = o.error ?? Y, y("validFlows", _.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == E.All && (this.validFlows = E.allFlows()), this.valid_flowNames = E.flowNames(this.validFlows), o.clientStorage && (this.clientManager = new x(o)), this.clientStorage = o.clientStorage;
4514
+ this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = r, y("loginUrl", E.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect ?? Q, this.error = o.error ?? Y, y("validFlows", E.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == _.All && (this.validFlows = _.allFlows()), this.valid_flowNames = _.flowNames(this.validFlows), o.clientStorage && (this.clientManager = new B(o)), this.clientStorage = o.clientStorage;
4515
4515
  }
4516
4516
  ///////////////////////////////////////////////////////////////////
4517
4517
  // Functions callable from apps
@@ -4557,7 +4557,7 @@ class $ {
4557
4557
  if (!this.sessionServer.clientStorage) throw new c(h.Configuration, "Must provide client storage to use this function");
4558
4558
  if (!r.locals.user)
4559
4559
  throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
4560
- let a = [], i = [], n = [];
4560
+ let i = [], a = [], n = [];
4561
4561
  if (!t)
4562
4562
  try {
4563
4563
  const f = r.url.searchParams.get("skip");
@@ -4574,44 +4574,44 @@ class $ {
4574
4574
  }
4575
4575
  e || (e = 10);
4576
4576
  const l = r.url.searchParams.get("search");
4577
- return !o && l != null && l != "" && (o = l), o || (o = ""), o.length == 0 && (o = void 0), o ? (a = await this.clientSearchFn(
4577
+ return !o && l != null && l != "" && (o = l), o || (o = ""), o.length == 0 && (o = void 0), o ? (i = await this.clientSearchFn(
4578
4578
  o,
4579
4579
  this.sessionServer.clientStorage,
4580
4580
  t,
4581
4581
  e
4582
- ), t > 0 && (i = await this.clientSearchFn(
4582
+ ), t > 0 && (a = await this.clientSearchFn(
4583
4583
  o,
4584
4584
  this.sessionServer.clientStorage,
4585
4585
  t - 1,
4586
4586
  1,
4587
4587
  s
4588
- ))) : (a = await this.sessionServer.clientStorage.getClients(
4588
+ ))) : (i = await this.sessionServer.clientStorage.getClients(
4589
4589
  t,
4590
4590
  e,
4591
4591
  s
4592
- ), a.length == e && (n = await this.sessionServer.clientStorage.getClients(
4592
+ ), i.length == e && (n = await this.sessionServer.clientStorage.getClients(
4593
4593
  t + e,
4594
4594
  1,
4595
4595
  s
4596
4596
  ))), {
4597
4597
  ok: !0,
4598
- clients: a,
4598
+ clients: i,
4599
4599
  skip: t,
4600
4600
  take: e,
4601
- hasPrevious: i.length > 0,
4601
+ hasPrevious: a.length > 0,
4602
4602
  hasNext: n.length > 0,
4603
4603
  search: o,
4604
4604
  clientUserId: s
4605
4605
  };
4606
- } catch (a) {
4607
- if (p.isSvelteKitRedirect(a) || p.isSvelteKitRedirect(a))
4608
- throw a;
4609
- const i = c.asCrossauthError(a);
4610
- return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
4606
+ } catch (i) {
4607
+ if (p.isSvelteKitRedirect(i) || p.isSvelteKitRedirect(i))
4608
+ throw i;
4609
+ const a = c.asCrossauthError(i);
4610
+ return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
4611
4611
  ok: !1,
4612
- error: i.message,
4613
- errorCode: i.code,
4614
- errorCodeName: i.codeName,
4612
+ error: a.message,
4613
+ errorCode: a.code,
4614
+ errorCodeName: a.codeName,
4615
4615
  hasPrevious: !1,
4616
4616
  hasNext: !1,
4617
4617
  skip: t ?? 0,
@@ -4634,21 +4634,21 @@ class $ {
4634
4634
  try {
4635
4635
  if (!o) throw new c(h.BadRequest, "No client ID specified");
4636
4636
  if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
4637
- const a = await this.clientStorage.getClientById(o), i = a.userid == null ? void 0 : await ((e = (t = this.sessionServer) == null ? void 0 : t.userStorage) == null ? void 0 : e.getUserById(a.userid)), n = (s = i == null ? void 0 : i.user) == null ? void 0 : s.username;
4637
+ const i = await this.clientStorage.getClientById(o), a = i.userid == null ? void 0 : await ((e = (t = this.sessionServer) == null ? void 0 : t.userStorage) == null ? void 0 : e.getUserById(i.userid)), n = (s = a == null ? void 0 : a.user) == null ? void 0 : s.username;
4638
4638
  return {
4639
4639
  ok: !0,
4640
- client: a,
4640
+ client: i,
4641
4641
  validFlows: this.validFlows,
4642
4642
  valid_flowNames: this.valid_flowNames,
4643
4643
  client_id: o,
4644
4644
  clientUsername: n
4645
4645
  };
4646
- } catch (a) {
4647
- let i = c.asCrossauthError(a, "Couldn't load client");
4648
- return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
4649
- error: i.message,
4650
- errorCode: i.code,
4651
- errorCodeName: i.codeName,
4646
+ } catch (i) {
4647
+ let a = c.asCrossauthError(i, "Couldn't load client");
4648
+ return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
4649
+ error: a.message,
4650
+ errorCode: a.code,
4651
+ errorCodeName: a.codeName,
4652
4652
  ok: !1,
4653
4653
  validFlows: this.validFlows,
4654
4654
  valid_flowNames: this.valid_flowNames,
@@ -4669,11 +4669,11 @@ class $ {
4669
4669
  * @returns {@link UpdateClientFormData}. If a new secret was created, it will be placed as plaintext in the client that is returned.
4670
4670
  */
4671
4671
  async updateClient_internal(r, o) {
4672
- var s, a;
4672
+ var s, i;
4673
4673
  let t;
4674
4674
  try {
4675
- const i = r.params.client_id;
4676
- if (!i) throw new c(h.BadRequest, "No client ID given");
4675
+ const a = r.params.client_id;
4676
+ if (!a) throw new c(h.BadRequest, "No client ID given");
4677
4677
  var e = new b();
4678
4678
  if (await e.loadData(r), t = e.toObject(), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
4679
4679
  throw new c(h.InvalidCsrf);
@@ -4681,7 +4681,7 @@ class $ {
4681
4681
  let l = [];
4682
4682
  for (let C of n)
4683
4683
  try {
4684
- x.validateUri(C);
4684
+ B.validateUri(C);
4685
4685
  } catch (T) {
4686
4686
  d.logger.error(u({ err: T })), l.push("[" + C + "]");
4687
4687
  }
@@ -4697,28 +4697,28 @@ class $ {
4697
4697
  if (g.client_name = t.client_name, g.confidential = e.getAsBoolean("confidential") ?? !1, g.valid_flow = f, g.redirect_uri = n, o) {
4698
4698
  let C = t.userid ?? void 0;
4699
4699
  if (C && ((s = this.sessionServer) != null && s.userStorage)) {
4700
- const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
4700
+ const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
4701
4701
  C = T.id;
4702
4702
  }
4703
4703
  g.userid = t.userid ? Number(t.userid) : null;
4704
4704
  }
4705
- const m = e.getAsBoolean("resetSecret");
4705
+ const w = e.getAsBoolean("resetSecret");
4706
4706
  if (!this.clientManager) throw new c(h.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
4707
- const { client: w, newSecret: S } = await this.clientManager.updateClient(
4708
- i,
4707
+ const { client: m, newSecret: S } = await this.clientManager.updateClient(
4708
+ a,
4709
4709
  g,
4710
- m
4710
+ w
4711
4711
  );
4712
4712
  return {
4713
4713
  ok: !0,
4714
- client: w,
4714
+ client: m,
4715
4715
  formData: t,
4716
4716
  //plaintextSecret: resetSecret ? formData.client_secret : undefined,
4717
- plaintextSecret: S && w.client_secret ? w.client_secret : void 0
4717
+ plaintextSecret: S && m.client_secret ? m.client_secret : void 0
4718
4718
  };
4719
- } catch (i) {
4720
- if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
4721
- let n = c.asCrossauthError(i, "Couldn't update client");
4719
+ } catch (a) {
4720
+ if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
4721
+ let n = c.asCrossauthError(a, "Couldn't update client");
4722
4722
  return d.logger.debug(u({ err: n })), d.logger.error(u({ cerr: n })), {
4723
4723
  error: n.message,
4724
4724
  errorCode: n.code,
@@ -4737,7 +4737,7 @@ class $ {
4737
4737
  * @returns {@link CreateClientPageData}.
4738
4738
  */
4739
4739
  async emptyClient_internal(r, o) {
4740
- var e, s, a, i, n, l, f;
4740
+ var e, s, i, a, n, l, f;
4741
4741
  try {
4742
4742
  var t = new b();
4743
4743
  await t.loadData(r);
@@ -4749,8 +4749,8 @@ class $ {
4749
4749
  g = T.id;
4750
4750
  }
4751
4751
  const C = t.get("userid");
4752
- if (C && ((a = this.sessionServer) != null && a.userStorage)) {
4753
- const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
4752
+ if (C && ((i = this.sessionServer) != null && i.userStorage)) {
4753
+ const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
4754
4754
  g = T.id;
4755
4755
  }
4756
4756
  } else {
@@ -4758,20 +4758,20 @@ class $ {
4758
4758
  g = r.locals.user.id;
4759
4759
  }
4760
4760
  if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
4761
- const m = g == null ? void 0 : await ((l = (n = this.sessionServer) == null ? void 0 : n.userStorage) == null ? void 0 : l.getUserById(g)), w = (f = m == null ? void 0 : m.user) == null ? void 0 : f.username;
4761
+ const w = g == null ? void 0 : await ((l = (n = this.sessionServer) == null ? void 0 : n.userStorage) == null ? void 0 : l.getUserById(g)), m = (f = w == null ? void 0 : w.user) == null ? void 0 : f.username;
4762
4762
  return {
4763
4763
  ok: !0,
4764
4764
  validFlows: this.validFlows,
4765
4765
  valid_flowNames: this.valid_flowNames,
4766
4766
  clientUserId: g,
4767
- clientUsername: w
4767
+ clientUsername: m
4768
4768
  };
4769
4769
  } catch (g) {
4770
- let m = c.asCrossauthError(g, "Couldn't initialize new client");
4771
- return d.logger.debug(u({ err: m })), d.logger.error(u({ cerr: m })), {
4772
- error: m.message,
4773
- errorCode: m.code,
4774
- errorCodeName: m.codeName,
4770
+ let w = c.asCrossauthError(g, "Couldn't initialize new client");
4771
+ return d.logger.debug(u({ err: w })), d.logger.error(u({ cerr: w })), {
4772
+ error: w.message,
4773
+ errorCode: w.code,
4774
+ errorCodeName: w.codeName,
4775
4775
  ok: !1,
4776
4776
  validFlows: this.validFlows,
4777
4777
  valid_flowNames: this.valid_flowNames
@@ -4790,7 +4790,7 @@ class $ {
4790
4790
  * @returns {@link UpdateClientFormData}. If a secret was created, it will be placed as plaintext in the client that is returned. A random `client_id` is created.
4791
4791
  */
4792
4792
  async createClient_internal(r, o) {
4793
- var s, a, i, n;
4793
+ var s, i, a, n;
4794
4794
  let t;
4795
4795
  try {
4796
4796
  var e = new b();
@@ -4799,7 +4799,7 @@ class $ {
4799
4799
  if (o) {
4800
4800
  const C = e.get("userid");
4801
4801
  if (C && ((s = this.sessionServer) != null && s.userStorage)) {
4802
- const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
4802
+ const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
4803
4803
  l = T.id;
4804
4804
  }
4805
4805
  } else {
@@ -4807,13 +4807,13 @@ class $ {
4807
4807
  l = r.locals.user.id;
4808
4808
  }
4809
4809
  if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
4810
- if (l && await ((n = (i = this.sessionServer) == null ? void 0 : i.userStorage) == null ? void 0 : n.getUserById(l)), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
4810
+ if (l && await ((n = (a = this.sessionServer) == null ? void 0 : a.userStorage) == null ? void 0 : n.getUserById(l)), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
4811
4811
  throw new c(h.InvalidCsrf);
4812
4812
  const f = !t.redirect_uri || t.redirect_uri.trim().length == 0 ? [] : t.redirect_uri.trim().split(/[, ][ \t\n]*/);
4813
4813
  let g = [];
4814
4814
  for (let C of f)
4815
4815
  try {
4816
- x.validateUri(C);
4816
+ B.validateUri(C);
4817
4817
  } catch (T) {
4818
4818
  d.logger.error(u({ err: T })), g.push("[" + C + "]");
4819
4819
  }
@@ -4822,17 +4822,17 @@ class $ {
4822
4822
  h.BadRequest,
4823
4823
  "The following redirect URIs are invalid: " + g.join(" ")
4824
4824
  );
4825
- let m = [];
4825
+ let w = [];
4826
4826
  for (let C of this.validFlows)
4827
- C in t && m.push(C);
4828
- const w = {};
4829
- if (w.client_name = t.client_name, w.confidential = e.getAsBoolean("confidential"), w.valid_flow = m, w.redirect_uri = f, o && (w.userid = t.userid ? Number(t.userid) : null), !this.clientManager) throw new c(h.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
4827
+ C in t && w.push(C);
4828
+ const m = {};
4829
+ if (m.client_name = t.client_name, m.confidential = e.getAsBoolean("confidential"), m.valid_flow = w, m.redirect_uri = f, o && (m.userid = t.userid ? Number(t.userid) : null), !this.clientManager) throw new c(h.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
4830
4830
  return {
4831
4831
  ok: !0,
4832
4832
  client: await this.clientManager.createClient(
4833
4833
  t.client_name,
4834
4834
  f,
4835
- m,
4835
+ w,
4836
4836
  e.getAsBoolean("confidential") ?? !1,
4837
4837
  l
4838
4838
  ),
@@ -4863,19 +4863,19 @@ class $ {
4863
4863
  try {
4864
4864
  if (!o) throw new c(h.BadRequest, "No client ID specified");
4865
4865
  if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
4866
- const a = await this.clientStorage.getClientById(o), i = a.userid == null ? void 0 : await ((e = (t = this.sessionServer) == null ? void 0 : t.userStorage) == null ? void 0 : e.getUserById(a.userid)), n = (s = i == null ? void 0 : i.user) == null ? void 0 : s.username;
4866
+ const i = await this.clientStorage.getClientById(o), a = i.userid == null ? void 0 : await ((e = (t = this.sessionServer) == null ? void 0 : t.userStorage) == null ? void 0 : e.getUserById(i.userid)), n = (s = a == null ? void 0 : a.user) == null ? void 0 : s.username;
4867
4867
  return {
4868
4868
  ok: !0,
4869
- client: a,
4869
+ client: i,
4870
4870
  client_id: o,
4871
4871
  clientUsername: n
4872
4872
  };
4873
- } catch (a) {
4874
- let i = c.asCrossauthError(a, "Couldn't load client");
4875
- return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
4876
- error: i.message,
4877
- errorCode: i.code,
4878
- errorCodeName: i.codeName,
4873
+ } catch (i) {
4874
+ let a = c.asCrossauthError(i, "Couldn't load client");
4875
+ return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
4876
+ error: a.message,
4877
+ errorCode: a.code,
4878
+ errorCodeName: a.codeName,
4879
4879
  ok: !1,
4880
4880
  client_id: o
4881
4881
  };
@@ -4896,19 +4896,19 @@ class $ {
4896
4896
  const s = r.params.client_id;
4897
4897
  if (!s) throw new c(h.BadRequest, "No client ID given");
4898
4898
  if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
4899
- const a = await ((t = this.clientStorage) == null ? void 0 : t.getClientById(s));
4900
- if (!o && a.userid != ((e = r.locals.user) == null ? void 0 : e.id))
4899
+ const i = await ((t = this.clientStorage) == null ? void 0 : t.getClientById(s));
4900
+ if (!o && i.userid != ((e = r.locals.user) == null ? void 0 : e.id))
4901
4901
  throw this.error(401, "Unauthorized");
4902
4902
  return await this.clientStorage.deleteClient(s), {
4903
4903
  ok: !0
4904
4904
  };
4905
4905
  } catch (s) {
4906
4906
  if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
4907
- let a = c.asCrossauthError(s, "Couldn't delete client");
4908
- return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
4909
- error: a.message,
4910
- errorCode: a.code,
4911
- errorCodeName: a.codeName,
4907
+ let i = c.asCrossauthError(s, "Couldn't delete client");
4908
+ return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
4909
+ error: i.message,
4910
+ errorCode: i.code,
4911
+ errorCodeName: i.codeName,
4912
4912
  ok: !1
4913
4913
  };
4914
4914
  }
@@ -4929,7 +4929,7 @@ class $ {
4929
4929
  };
4930
4930
  }
4931
4931
  }
4932
- class Ce extends $ {
4932
+ class Ce extends X {
4933
4933
  /**
4934
4934
  * Constructor
4935
4935
  * @param sessionServer the session server which will have these endpoints
@@ -4977,7 +4977,7 @@ class Ce extends $ {
4977
4977
  actions: {
4978
4978
  default: async (t) => await this.deleteClient(t)
4979
4979
  }
4980
- }, this.sessionServer = r, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect, this.error = o.error;
4980
+ }, this.sessionServer = r, y("loginUrl", E.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect, this.error = o.error;
4981
4981
  }
4982
4982
  ///////////////////////////////////////////////////////////////////
4983
4983
  // Functions callable from apps
@@ -5105,7 +5105,7 @@ class Ce extends $ {
5105
5105
  return this.createClient_internal(r, !1);
5106
5106
  }
5107
5107
  }
5108
- class ye extends $ {
5108
+ class ye extends X {
5109
5109
  /**
5110
5110
  * Constructor
5111
5111
  * @param sessionServer the session server which will have these endpoints
@@ -5159,7 +5159,7 @@ class ye extends $ {
5159
5159
  actions: {
5160
5160
  default: async (t) => await this.deleteClient(t)
5161
5161
  }
5162
- }, this.sessionServer = r, y("loginUrl", _.String, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect, this.error = o.error;
5162
+ }, this.sessionServer = r, y("loginUrl", E.String, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect, this.error = o.error;
5163
5163
  }
5164
5164
  ///////////////////////////////////////////////////////////////////
5165
5165
  // Functions callable from apps
@@ -5220,52 +5220,52 @@ class ye extends $ {
5220
5220
  return this.deleteClient_internal(r, !0);
5221
5221
  }
5222
5222
  }
5223
- const B = "X-CROSSAUTH-CSRF";
5224
- function _e(k) {
5223
+ const x = "X-CROSSAUTH-CSRF";
5224
+ function Ee(k) {
5225
5225
  let r = [];
5226
5226
  return k.username == null ? r.push("Username must be given") : k.username.length < 2 ? r.push("Username must be at least 2 characters") : k.username.length > 254 && r.push("Username must be no longer than 254 characters"), r;
5227
5227
  }
5228
- function Ee(k, r, o) {
5229
- var a;
5228
+ function _e(k, r, o) {
5229
+ var i;
5230
5230
  let e = {
5231
5231
  username: r.username ?? "",
5232
5232
  state: "active"
5233
5233
  };
5234
5234
  const s = k.locals.user && p.isAdminFn(k.locals.user);
5235
- for (let i in r) {
5236
- let n = i.replace(/^user_/, "");
5237
- if (i.startsWith("user_") && (s || o.includes(n)))
5235
+ for (let a in r) {
5236
+ let n = a.replace(/^user_/, "");
5237
+ if (a.startsWith("user_") && (s || o.includes(n)))
5238
5238
  if ("type_" + n in r) {
5239
5239
  if (r["type_" + n] == "string")
5240
- e[n] = r[i];
5240
+ e[n] = r[a];
5241
5241
  else if (r["type_" + n] == "number" || r["type_" + n] == "integer" || r["type_" + n] == "float")
5242
- e[n] = Number(r[i]);
5242
+ e[n] = Number(r[a]);
5243
5243
  else if (r["type_" + n] == "boolean") {
5244
- const l = (a = r[i]) == null ? void 0 : a.toLocaleLowerCase();
5244
+ const l = (i = r[a]) == null ? void 0 : i.toLocaleLowerCase();
5245
5245
  e[n] = l == "1" || l == "y" || l == "t" || l == "yes" || l == "true";
5246
5246
  }
5247
5247
  } else
5248
- e[n] = r[i];
5248
+ e[n] = r[a];
5249
5249
  }
5250
5250
  return e.factor1 = "localpassword", e.factor2 = r.factor2, e;
5251
5251
  }
5252
5252
  function ve(k, r, o, t) {
5253
5253
  var s;
5254
5254
  const e = r.locals.user && p.isAdminFn(r.locals.user);
5255
- for (let a in o) {
5256
- let i = a.replace(/^user_/, "");
5257
- if (a.startsWith("user_") && (e || t.includes(i)))
5258
- if ("type_" + i in o) {
5259
- if (o["type_" + i] == "string")
5260
- k[i] = o[a];
5261
- else if (o["type_" + i] == "number" || o["type_" + i] == "integer" || o["type_" + i] == "float")
5262
- k[i] = Number(o[a]);
5263
- else if (o["type_" + i] == "boolean") {
5264
- const n = (s = o[a]) == null ? void 0 : s.toLocaleLowerCase();
5265
- k[i] = n == "1" || n == "y" || n == "t" || n == "yes" || n == "true";
5255
+ for (let i in o) {
5256
+ let a = i.replace(/^user_/, "");
5257
+ if (i.startsWith("user_") && (e || t.includes(a)))
5258
+ if ("type_" + a in o) {
5259
+ if (o["type_" + a] == "string")
5260
+ k[a] = o[i];
5261
+ else if (o["type_" + a] == "number" || o["type_" + a] == "integer" || o["type_" + a] == "float")
5262
+ k[a] = Number(o[i]);
5263
+ else if (o["type_" + a] == "boolean") {
5264
+ const n = (s = o[i]) == null ? void 0 : s.toLocaleLowerCase();
5265
+ k[a] = n == "1" || n == "y" || n == "t" || n == "yes" || n == "true";
5266
5266
  }
5267
5267
  } else
5268
- k[i] = o[a];
5268
+ k[a] = o[i];
5269
5269
  }
5270
5270
  return k;
5271
5271
  }
@@ -5278,9 +5278,9 @@ class H {
5278
5278
  * @param options See {@link SvelteKitSessionServerOptions}.
5279
5279
  */
5280
5280
  constructor(r, o, t = {}) {
5281
- this.validateUserFn = _e, this.createUserFn = Ee, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.keyStorage = r, this.userStorage = t.userStorage, this.clientStorage = t.clientStorage, this.authenticators = o, this.sessionManager = new ie(r, o, t), this.redirect = t.redirect ?? Q, this.error = t.error ?? Y, y("factor2Url", _.String, this, t, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", _.JsonArray, this, t, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", _.JsonArray, this, t, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", _.JsonArray, this, t, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", _.JsonArray, this, t, "ADMIN_API_ENDPOINTS"), y("loginUrl", _.JsonArray, this, t, "LOGIN_URL"), y("unauthorizedUrl", _.JsonArray, this, t, "UNAUTHORIZED_PAGE");
5281
+ this.validateUserFn = Ee, this.createUserFn = _e, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.adminProtectedExceptionPageEndpoints = [], this.adminProtectedExceptionApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.keyStorage = r, this.userStorage = t.userStorage, this.clientStorage = t.clientStorage, this.authenticators = o, this.sessionManager = new ie(r, o, t), this.redirect = t.redirect ?? Q, this.error = t.error ?? Y, y("factor2Url", E.String, this, t, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", E.JsonArray, this, t, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", E.JsonArray, this, t, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", E.JsonArray, this, t, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", E.JsonArray, this, t, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", E.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", E.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", E.JsonArray, this, t, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", E.JsonArray, this, t, "ADMIN_API_ENDPOINTS"), y("adminProtectedExceptionPageEndpoints", E.JsonArray, this, t, "ADMIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("adminProtectedExceptionApiEndpoints", E.JsonArray, this, t, "ADMIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("loginUrl", E.JsonArray, this, t, "LOGIN_URL"), y("unauthorizedUrl", E.JsonArray, this, t, "UNAUTHORIZED_PAGE");
5282
5282
  let e = {};
5283
- if (y("allowedFactor2", _.JsonArray, e, t, "ALLOWED_FACTOR2"), this.allowedFactor2Names = t.allowedFactor2 ?? ["none"], e.allowedFactor2)
5283
+ if (y("allowedFactor2", E.JsonArray, e, t, "ALLOWED_FACTOR2"), this.allowedFactor2Names = t.allowedFactor2 ?? ["none"], e.allowedFactor2)
5284
5284
  for (let s of e.allowedFactor2)
5285
5285
  s in this.authenticators ? this.allowedFactor2.push({
5286
5286
  name: s,
@@ -5291,79 +5291,79 @@ class H {
5291
5291
  friendlyName: "None",
5292
5292
  configurable: !1
5293
5293
  });
5294
- y("enableEmailVerification", _.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", _.Boolean, this, t, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", _.Boolean, this, t, "ENABLE_CSRF_PROTECTION"), y("editUserScope", _.String, this, t, "EDIT_USER_SCOPE"), t.validateUserFn && (this.validateUserFn = t.validateUserFn), t.createUserFn && (this.createUserFn = t.createUserFn), t.updateUserFn && (this.updateUserFn = t.updateUserFn), t.addToSession && (this.addToSession = t.addToSession), t.validateSession && (this.validateSession = t.validateSession), this.userEndpoints = new we(this, t), this.adminEndpoints = new ke(this, t), this.userClientEndpoints = new Ce(this, t), this.adminClientEndpoints = new ye(this, t), this.sessionHook = async ({ event: s }) => {
5294
+ y("enableEmailVerification", E.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", E.Boolean, this, t, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", E.Boolean, this, t, "ENABLE_CSRF_PROTECTION"), y("editUserScope", E.String, this, t, "EDIT_USER_SCOPE"), t.validateUserFn && (this.validateUserFn = t.validateUserFn), t.createUserFn && (this.createUserFn = t.createUserFn), t.updateUserFn && (this.updateUserFn = t.updateUserFn), t.addToSession && (this.addToSession = t.addToSession), t.validateSession && (this.validateSession = t.validateSession), this.userEndpoints = new we(this, t), this.adminEndpoints = new ke(this, t), this.userClientEndpoints = new Ce(this, t), this.adminClientEndpoints = new ye(this, t), this.sessionHook = async ({ event: s }) => {
5295
5295
  var f, g;
5296
5296
  d.logger.debug("Session hook");
5297
- let a = [];
5298
- const i = this.sessionManager.csrfCookieName, n = this.sessionManager.sessionCookieName;
5297
+ let i = [];
5298
+ const a = this.sessionManager.csrfCookieName, n = this.sessionManager.sessionCookieName;
5299
5299
  if (this.enableCsrfProtection) {
5300
5300
  d.logger.debug(u({ msg: "Getting csrf cookie" }));
5301
- let m;
5301
+ let w;
5302
5302
  try {
5303
- m = this.getCsrfCookieValue(s), m && this.sessionManager.validateCsrfCookie(m);
5304
- } catch (w) {
5305
- d.logger.warn(u({ msg: "Invalid csrf cookie received", cerr: w, hashedCsrfCookie: this.getHashOfCsrfCookie(s) }));
5303
+ w = this.getCsrfCookieValue(s), w && this.sessionManager.validateCsrfCookie(w);
5304
+ } catch (m) {
5305
+ d.logger.warn(u({ msg: "Invalid csrf cookie received", cerr: m, hashedCsrfCookie: this.getHashOfCsrfCookie(s) }));
5306
5306
  try {
5307
- this.clearCookie(i, this.sessionManager.csrfCookiePath, s);
5307
+ this.clearCookie(a, this.sessionManager.csrfCookiePath, s);
5308
5308
  } catch (S) {
5309
5309
  d.logger.debug(u({ err: S })), d.logger.error(u({ cerr: S, msg: "Couldn't delete CSRF cookie", ip: s.request.referrer, hashedCsrfCookie: this.getHashOfCsrfCookie(s) }));
5310
5310
  }
5311
- m = void 0, s.locals.csrfToken = void 0;
5311
+ w = void 0, s.locals.csrfToken = void 0;
5312
5312
  }
5313
5313
  if (["GET", "OPTIONS", "HEAD"].includes(s.request.method))
5314
5314
  try {
5315
- if (m) {
5315
+ if (w) {
5316
5316
  d.logger.debug(u({ msg: "Valid CSRF cookie - creating token" }));
5317
- const w = await this.sessionManager.createCsrfFormOrHeaderValue(m);
5318
- s.locals.csrfToken = w;
5317
+ const m = await this.sessionManager.createCsrfFormOrHeaderValue(w);
5318
+ s.locals.csrfToken = m;
5319
5319
  } else {
5320
5320
  d.logger.debug(u({ msg: "Invalid CSRF cookie - recreating" }));
5321
- const { csrfCookie: w, csrfFormOrHeaderValue: S } = await this.sessionManager.createCsrfToken();
5322
- this.setCsrfCookie(w, s), s.locals.csrfToken = S;
5321
+ const { csrfCookie: m, csrfFormOrHeaderValue: S } = await this.sessionManager.createCsrfToken();
5322
+ this.setCsrfCookie(m, s), s.locals.csrfToken = S;
5323
5323
  }
5324
- this.setHeader(B, s.locals.csrfToken, a);
5325
- } catch (w) {
5326
- d.logger.error(u({ msg: "Couldn't create CSRF token", cerr: w, user: (f = s.locals.user) == null ? void 0 : f.username, hashedSessionCookie: this.getHashOfSessionCookie(s) })), d.logger.debug(u({ err: w })), this.clearCookie(i, this.sessionManager.csrfCookiePath, s), s.locals.csrfToken = void 0;
5324
+ this.setHeader(x, s.locals.csrfToken, i);
5325
+ } catch (m) {
5326
+ d.logger.error(u({ msg: "Couldn't create CSRF token", cerr: m, user: (f = s.locals.user) == null ? void 0 : f.username, hashedSessionCookie: this.getHashOfSessionCookie(s) })), d.logger.debug(u({ err: m })), this.clearCookie(a, this.sessionManager.csrfCookiePath, s), s.locals.csrfToken = void 0;
5327
5327
  }
5328
- else if (m)
5328
+ else if (w)
5329
5329
  try {
5330
- await this.csrfToken(s, a);
5331
- } catch (w) {
5332
- d.logger.error(u({ msg: "Couldn't create CSRF token", cerr: w, user: (g = s.locals.user) == null ? void 0 : g.username, hashedSessionCookie: this.getHashOfSessionCookie(s) })), d.logger.debug(u({ err: w }));
5330
+ await this.csrfToken(s, i);
5331
+ } catch (m) {
5332
+ d.logger.error(u({ msg: "Couldn't create CSRF token", cerr: m, user: (g = s.locals.user) == null ? void 0 : g.username, hashedSessionCookie: this.getHashOfSessionCookie(s) })), d.logger.debug(u({ err: m }));
5333
5333
  }
5334
5334
  }
5335
5335
  s.locals.user = void 0, s.locals.authType = void 0;
5336
5336
  const l = this.getSessionCookieValue(s);
5337
5337
  if (d.logger.debug(u({ msg: "Getting session cookie" })), l)
5338
5338
  try {
5339
- const m = this.sessionManager.getSessionId(l);
5340
- let { key: w, user: S } = await this.sessionManager.userForSessionId(m);
5341
- this.validateSession && this.validateSession(w, S, s), s.locals.sessionId = m, s.locals.user = S, s.locals.authType = "cookie", d.logger.debug(u({ msg: "Valid session id", user: S == null ? void 0 : S.username }));
5339
+ const w = this.sessionManager.getSessionId(l);
5340
+ let { key: m, user: S } = await this.sessionManager.userForSessionId(w);
5341
+ this.validateSession && this.validateSession(m, S, s), s.locals.sessionId = w, s.locals.user = S, s.locals.authType = "cookie", d.logger.debug(u({ msg: "Valid session id", user: S == null ? void 0 : S.username }));
5342
5342
  } catch {
5343
5343
  d.logger.warn(u({ msg: "Invalid session cookie received", hashedSessionCookie: this.getHashOfSessionCookie(s) })), this.clearCookie(n, this.sessionManager.sessionCookiePath, s);
5344
5344
  }
5345
- return { headers: a };
5345
+ return { headers: i };
5346
5346
  }, this.twoFAHook = async ({ event: s }) => {
5347
5347
  var f;
5348
5348
  if (d.logger.debug(u({ msg: "twoFAHook", username: (f = s.locals.user) == null ? void 0 : f.username })), !this.userStorage) throw this.error(500, "No user storage defined");
5349
- const a = this.getSessionCookieValue(s), i = this.isFactor2PageProtected(s), n = this.isFactor2ApiProtected(s);
5349
+ const i = this.getSessionCookieValue(s), a = this.isFactor2PageProtected(s), n = this.isFactor2ApiProtected(s);
5350
5350
  let l;
5351
- if (a)
5351
+ if (i)
5352
5352
  if (s.locals.user) l = s.locals.user;
5353
5353
  else {
5354
5354
  const g = await this.getSessionData(s, "user");
5355
5355
  if (g) {
5356
- const m = await this.userStorage.getUserByUsername(g.username, { skipActiveCheck: !0 });
5357
- (m.user.status == I.active || m.user.state == I.factor2ResetNeeded) && (l = m.user);
5356
+ const w = await this.userStorage.getUserByUsername(g.username, { skipActiveCheck: !0 });
5357
+ (w.user.status == N.active || w.user.state == N.factor2ResetNeeded) && (l = w.user);
5358
5358
  }
5359
5359
  }
5360
- if (l && a && l.factor2 != "" && (i || n))
5360
+ if (l && i && l.factor2 != "" && (a || n))
5361
5361
  if (d.logger.debug(u({ msg: "Factor2-protected endpoint visited" })), ["GET", "OPTIONS", "HEAD"].includes(s.request.method)) {
5362
5362
  d.logger.debug(u({ msg: "Factor2-protected GET endpoint - cancelling 2FA" }));
5363
5363
  const g = this.getSessionCookieValue(s);
5364
5364
  if (g) {
5365
- const m = this.sessionManager.getSessionId(g);
5366
- if ("pre2fa" in await this.sessionManager.dataForSessionId(m)) {
5365
+ const w = this.sessionManager.getSessionId(g);
5366
+ if ("pre2fa" in await this.sessionManager.dataForSessionId(w)) {
5367
5367
  d.logger.debug(u({ msg: "Cancelling 2FA" }));
5368
5368
  try {
5369
5369
  await this.sessionManager.cancelTwoFactorPageVisit(g);
@@ -5373,59 +5373,59 @@ class H {
5373
5373
  }
5374
5374
  }
5375
5375
  } else {
5376
- const g = this.sessionManager.getSessionId(a), m = await this.sessionManager.dataForSessionId(g);
5377
- if ("pre2fa" in m) {
5376
+ const g = this.sessionManager.getSessionId(i), w = await this.sessionManager.dataForSessionId(g);
5377
+ if ("pre2fa" in w) {
5378
5378
  d.logger.debug(u({ msg: "Completing 2FA" }));
5379
- const w = this.authenticators[m.pre2fa.factor2], S = [...w.secretNames(), ...w.transientSecretNames()];
5379
+ const m = this.authenticators[w.pre2fa.factor2], S = [...m.secretNames(), ...m.transientSecretNames()];
5380
5380
  let C = {};
5381
5381
  const T = new b();
5382
5382
  await T.loadData(s);
5383
5383
  for (let U of T.keys())
5384
5384
  S.includes(U) && (C[U] = T.get(U) ?? "");
5385
- const N = this.getSessionCookieValue(s);
5386
- if (!N) throw new c(h.Unauthorized, "No session cookie found");
5387
- let F;
5385
+ const R = this.getSessionCookieValue(s);
5386
+ if (!R) throw new c(h.Unauthorized, "No session cookie found");
5387
+ let A;
5388
5388
  try {
5389
5389
  await this.sessionManager.completeTwoFactorPageVisit(C, s.locals.sessionId ?? "");
5390
5390
  } catch (U) {
5391
- F = c.asCrossauthError(U), d.logger.debug(u({ err: U }));
5391
+ A = c.asCrossauthError(U), d.logger.debug(u({ err: U }));
5392
5392
  const z = c.asCrossauthError(U);
5393
- d.logger.error(u({ msg: F.message, cerr: U, user: T.get("username"), errorCode: z.code, errorCodeName: z.codeName }));
5393
+ d.logger.error(u({ msg: A.message, cerr: U, user: T.get("username"), errorCode: z.code, errorCodeName: z.codeName }));
5394
5394
  }
5395
- if (F)
5396
- if (F.code == h.Expired) {
5395
+ if (A)
5396
+ if (A.code == h.Expired) {
5397
5397
  d.logger.debug(u({ msg: "Error - cancelling 2FA" }));
5398
5398
  try {
5399
- await this.sessionManager.cancelTwoFactorPageVisit(N);
5399
+ await this.sessionManager.cancelTwoFactorPageVisit(R);
5400
5400
  } catch (U) {
5401
5401
  d.logger.error(u({ msg: "Failed cancelling 2FA", cerr: U, user: l.username, hashedSessionCookie: this.getHashOfSessionCookie(s) })), d.logger.debug(u({ err: U }));
5402
5402
  }
5403
5403
  return this.error(401, { message: "Sorry, your code has expired" }), { ok: !1, twofa: !0 };
5404
5404
  } else
5405
- return i ? {
5405
+ return a ? {
5406
5406
  twofa: !0,
5407
5407
  ok: !1,
5408
5408
  response: new Response("", {
5409
5409
  status: 302,
5410
5410
  statusText: q(302),
5411
- headers: { Location: this.factor2Url + "?error=" + h[F.code] }
5411
+ headers: { Location: this.factor2Url + "?error=" + h[A.code] }
5412
5412
  })
5413
5413
  } : {
5414
5414
  twofa: !0,
5415
5415
  ok: !1,
5416
5416
  response: new Response(JSON.stringify({
5417
5417
  ok: !1,
5418
- errorMessage: F.message,
5419
- errorMessages: F.messages,
5420
- errorCode: F.code,
5421
- errorCodeName: h[F.code]
5418
+ errorMessage: A.message,
5419
+ errorMessages: A.messages,
5420
+ errorCode: A.code,
5421
+ errorCodeName: h[A.code]
5422
5422
  }), {
5423
- status: F.httpStatus,
5424
- statusText: q(F.httpStatus),
5423
+ status: A.httpStatus,
5424
+ statusText: q(A.httpStatus),
5425
5425
  headers: { "content-tyoe": "application/json" }
5426
5426
  })
5427
5427
  };
5428
- return H.updateRequest(s, m.pre2fa.body, m.pre2fa["content-type"]), { twofa: !0, ok: !0 };
5428
+ return H.updateRequest(s, w.pre2fa.body, w.pre2fa["content-type"]), { twofa: !0, ok: !0 };
5429
5429
  } else {
5430
5430
  if (d.logger.debug(u({ msg: "Starting 2FA", username: l.username })), this.enableCsrfProtection && !s.locals.csrfToken) {
5431
5431
  const C = new c(h.Forbidden, "CSRF token missing");
@@ -5447,10 +5447,10 @@ class H {
5447
5447
  })
5448
5448
  };
5449
5449
  }
5450
- const w = new b();
5451
- await w.loadData(s);
5450
+ const m = new b();
5451
+ await m.loadData(s);
5452
5452
  let S = s.request.headers.get("content-type");
5453
- return await this.sessionManager.initiateTwoFactorPageVisit(l, s.locals.sessionId ?? "", w.toObject(), s.request.url.replace(/\?.*$/, ""), S || void 0), i ? {
5453
+ return await this.sessionManager.initiateTwoFactorPageVisit(l, s.locals.sessionId ?? "", m.toObject(), s.request.url.replace(/\?.*$/, ""), S || void 0), a ? {
5454
5454
  twofa: !0,
5455
5455
  ok: !0,
5456
5456
  response: new Response("", {
@@ -5519,7 +5519,7 @@ class H {
5519
5519
  * @param event the request event
5520
5520
  */
5521
5521
  setCsrfCookie(r, o) {
5522
- o.cookies.set(r.name, r.value, R(r.options));
5522
+ o.cookies.set(r.name, r.value, P(r.options));
5523
5523
  }
5524
5524
  setHeader(r, o, t) {
5525
5525
  t.push({
@@ -5539,7 +5539,7 @@ class H {
5539
5539
  const o = this.getSessionCookieValue(r);
5540
5540
  if (!o) return "";
5541
5541
  try {
5542
- return A.hash(o);
5542
+ return F.hash(o);
5543
5543
  } catch {
5544
5544
  }
5545
5545
  return "";
@@ -5556,7 +5556,7 @@ class H {
5556
5556
  const o = this.getCsrfCookieValue(r);
5557
5557
  if (!o) return "";
5558
5558
  try {
5559
- return A.hash(o);
5559
+ return F.hash(o);
5560
5560
  } catch {
5561
5561
  }
5562
5562
  return "";
@@ -5573,28 +5573,28 @@ class H {
5573
5573
  * @returns the string CSRF token for inclusion in forms
5574
5574
  */
5575
5575
  async csrfToken(r, o) {
5576
- var e, s, a;
5576
+ var e, s, i;
5577
5577
  let t;
5578
- if (r.request.headers && r.request.headers.has(B.toLowerCase())) {
5579
- const i = r.request.headers.get(B.toLowerCase());
5580
- Array.isArray(i) ? t = i[0] : i && (t = i);
5578
+ if (r.request.headers && r.request.headers.has(x.toLowerCase())) {
5579
+ const a = r.request.headers.get(x.toLowerCase());
5580
+ Array.isArray(a) ? t = a[0] : a && (t = a);
5581
5581
  }
5582
5582
  if (!t) {
5583
5583
  if (!((e = r.request) != null && e.body)) {
5584
5584
  d.logger.warn(u({ msg: "Received CSRF header but not token", ip: r.request.referrerPolicy, hashedCsrfCookie: this.getHashOfCsrfCookie(r) }));
5585
5585
  return;
5586
5586
  }
5587
- const i = r.request.headers.get("content-type");
5588
- if (i == "application/json")
5589
- t = (await ((a = (s = r.request) == null ? void 0 : s.clone()) == null ? void 0 : a.json())).csrfToken;
5590
- else if (i == "application/x-www-form-urlencoded" || i == "multipart/form-data") {
5587
+ const a = r.request.headers.get("content-type");
5588
+ if (a == "application/json")
5589
+ t = (await ((i = (s = r.request) == null ? void 0 : s.clone()) == null ? void 0 : i.json())).csrfToken;
5590
+ else if (a == "application/x-www-form-urlencoded" || a == "multipart/form-data") {
5591
5591
  const l = (await r.request.clone().formData()).get("csrfToken");
5592
5592
  l && typeof l == "string" && (t = l);
5593
5593
  }
5594
5594
  }
5595
5595
  if (t)
5596
5596
  try {
5597
- this.sessionManager.validateDoubleSubmitCsrfToken(this.getCsrfCookieValue(r), t), r.locals.csrfToken = t, this.setHeader(B, t, o);
5597
+ this.sessionManager.validateDoubleSubmitCsrfToken(this.getCsrfCookieValue(r), t), r.locals.csrfToken = t, this.setHeader(x, t, o);
5598
5598
  } catch {
5599
5599
  d.logger.warn(u({ msg: "Invalid CSRF token", hashedCsrfCookie: this.getHashOfCsrfCookie(r) })), this.clearCookie(this.sessionManager.csrfCookieName, this.sessionManager.csrfCookiePath, r), r.locals.csrfToken = void 0;
5600
5600
  }
@@ -5620,8 +5620,8 @@ class H {
5620
5620
  else {
5621
5621
  e = "";
5622
5622
  for (let s in o) {
5623
- const a = o[s];
5624
- e.length > 0 && (e += "&"), e += encodeURIComponent(s) + "=" + encodeURIComponent(a);
5623
+ const i = o[s];
5624
+ e.length > 0 && (e += "&"), e += encodeURIComponent(s) + "=" + encodeURIComponent(i);
5625
5625
  }
5626
5626
  }
5627
5627
  return r.request = new Request(r.request.url, {
@@ -5639,7 +5639,7 @@ class H {
5639
5639
  getHashOfSessionId(r) {
5640
5640
  if (!r.locals.sessionId) return "";
5641
5641
  try {
5642
- return A.hash(r.locals.sessionId);
5642
+ return F.hash(r.locals.sessionId);
5643
5643
  } catch {
5644
5644
  }
5645
5645
  return "";
@@ -5675,10 +5675,10 @@ class H {
5675
5675
  if (o.pathname == this.loginUrl) return !1;
5676
5676
  let t = !1;
5677
5677
  return t = this.loginProtectedExceptionPageEndpoints.reduce(
5678
- (s, a) => s || P(o.pathname, a),
5678
+ (s, i) => s || I(o.pathname, i),
5679
5679
  t
5680
5680
  ), t ? !1 : this.loginProtectedPageEndpoints.reduce(
5681
- (s, a) => s || P(o.pathname, a),
5681
+ (s, i) => s || I(o.pathname, i),
5682
5682
  !1
5683
5683
  );
5684
5684
  }
@@ -5696,10 +5696,10 @@ class H {
5696
5696
  if (o.pathname == this.loginUrl) return !1;
5697
5697
  let t = !1;
5698
5698
  return t = this.loginProtectedExceptionApiEndpoints.reduce(
5699
- (s, a) => s || P(o.pathname, a),
5699
+ (s, i) => s || I(o.pathname, i),
5700
5700
  t
5701
5701
  ), t ? !1 : this.loginProtectedApiEndpoints.reduce(
5702
- (s, a) => s || P(o.pathname, a),
5702
+ (s, i) => s || I(o.pathname, i),
5703
5703
  !1
5704
5704
  );
5705
5705
  }
@@ -5715,7 +5715,7 @@ class H {
5715
5715
  isFactor2PageProtected(r) {
5716
5716
  const o = new URL(typeof r == "string" ? r : r.request.url);
5717
5717
  return this.factor2ProtectedPageEndpoints.reduce(
5718
- (e, s) => e || P(o.pathname, s),
5718
+ (e, s) => e || I(o.pathname, s),
5719
5719
  !1
5720
5720
  );
5721
5721
  }
@@ -5731,7 +5731,7 @@ class H {
5731
5731
  isFactor2ApiProtected(r) {
5732
5732
  const o = new URL(typeof r == "string" ? r : r.request.url);
5733
5733
  return this.factor2ProtectedApiEndpoints.reduce(
5734
- (e, s) => e || P(o.pathname, s),
5734
+ (e, s) => e || I(o.pathname, s),
5735
5735
  !1
5736
5736
  );
5737
5737
  }
@@ -5746,8 +5746,15 @@ class H {
5746
5746
  */
5747
5747
  isAdminPageEndpoint(r) {
5748
5748
  const o = new URL(typeof r == "string" ? r : r.request.url);
5749
- return this.adminPageEndpoints.reduce(
5750
- (e, s) => e || P(o.pathname, s),
5749
+ let t = !1;
5750
+ return t = this.adminProtectedExceptionPageEndpoints.reduce(
5751
+ (s, i) => s || I(o.pathname, i),
5752
+ t
5753
+ ), t || (t = this.loginProtectedExceptionPageEndpoints.reduce(
5754
+ (s, i) => s || I(o.pathname, i),
5755
+ t
5756
+ ), t) ? !1 : this.adminPageEndpoints.reduce(
5757
+ (s, i) => s || I(o.pathname, i),
5751
5758
  !1
5752
5759
  );
5753
5760
  }
@@ -5762,8 +5769,15 @@ class H {
5762
5769
  */
5763
5770
  isAdminApiEndpoint(r) {
5764
5771
  const o = new URL(typeof r == "string" ? r : r.request.url);
5765
- return this.adminApiEndpoints.reduce(
5766
- (e, s) => e || P(o.pathname, s),
5772
+ let t = !1;
5773
+ return t = this.adminProtectedExceptionApiEndpoints.reduce(
5774
+ (s, i) => s || I(o.pathname, i),
5775
+ t
5776
+ ), t || (t = this.loginProtectedExceptionApiEndpoints.reduce(
5777
+ (s, i) => s || I(o.pathname, i),
5778
+ t
5779
+ ), t) ? !1 : this.adminApiEndpoints.reduce(
5780
+ (s, i) => s || I(o.pathname, i),
5767
5781
  !1
5768
5782
  );
5769
5783
  }
@@ -5785,15 +5799,15 @@ class H {
5785
5799
  await t.loadData(r);
5786
5800
  let e = this.addToSession ? this.addToSession(r, t.toObject()) : {};
5787
5801
  o && (e.data = JSON.stringify(o));
5788
- let { sessionCookie: s, csrfCookie: a, csrfFormOrHeaderValue: i } = await this.sessionManager.createAnonymousSession(e);
5802
+ let { sessionCookie: s, csrfCookie: i, csrfFormOrHeaderValue: a } = await this.sessionManager.createAnonymousSession(e);
5789
5803
  r.cookies.set(
5790
5804
  s.name,
5791
5805
  s.value,
5792
- R(s.options)
5793
- ), this.enableCsrfProtection && (r.locals.csrfToken = i, r.cookies.set(
5794
- a.name,
5795
- a.value,
5796
- R(a.options)
5806
+ P(s.options)
5807
+ ), this.enableCsrfProtection && (r.locals.csrfToken = a, r.cookies.set(
5808
+ i.name,
5809
+ i.value,
5810
+ P(i.options)
5797
5811
  )), r.locals.user = void 0;
5798
5812
  const n = this.sessionManager.getSessionId(s.value);
5799
5813
  return r.locals.sessionId = n, s.value;
@@ -5896,7 +5910,7 @@ export {
5896
5910
  p as SvelteKitServer,
5897
5911
  Re as SvelteKitSessionAdapter,
5898
5912
  H as SvelteKitSessionServer,
5899
- $ as SvelteKitSharedClientEndpoints,
5913
+ X as SvelteKitSharedClientEndpoints,
5900
5914
  Ce as SvelteKitUserClientEndpoints,
5901
5915
  we as SvelteKitUserEndpoints,
5902
5916
  Se as defaultClientSearchFn