npm - @descope/node-sdk - Versions diffs - 1.6.2 → 1.6.4 - Mend

@descope/node-sdk 1.6.2 → 1.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -70,10 +70,12 @@ Then, you can use that to work with the following functions:
 7. [Query SSO Groups](#query-sso-groups)
 8. [Manage Flows](#manage-flows)
 9. [Manage JWTs](#manage-jwts)
-10. [Embedded Links](#embedded-links)
-11. [Search Audit](#search-audit)
-12. [Manage Authz](#manage-authz)
-13. [Manage Project](#manage-project)
+10. [Impersonate](#impersonate)
+11. [Embedded Links](#embedded-links)
+12. [Search Audit](#search-audit)
+13. [Manage Authz](#manage-authz)
+14. [Manage Project](#manage-project)
+15. [Manage SSO applications](#manage-sso-applications)
 If you wish to run any of our code samples and play with them, check out our [Code Examples](#code-examples) section.
@@ -430,11 +432,9 @@ For multi-tenant uses:
 ```typescript
 // You can validate specific permissions
-const validTenantPermissions = descopeClient.validateTenantPermissions(
-  authInfo,
-  'my-tenant-ID',
-  ['Permission to validate'],
-);
+const validTenantPermissions = descopeClient.validateTenantPermissions(authInfo, 'my-tenant-ID', [
+  'Permission to validate',
+]);
 if (!validTenantPermissions) {
   // Deny access
 }
@@ -449,14 +449,14 @@ if (!validTenantRoles) {
 // Or get the matched roles/permissions
 const matchedTenantRoles = descopeClient.getMatchedTenantRoles(authInfo, 'my-tenant-ID', [
-	'Role to validate',
-	'Another role to validate'
+  'Role to validate',
+  'Another role to validate',
 ]);
 const matchedTenantPermissions = descopeClient.getMatchedTenantPermissions(
-	authInfo,
-	'my-tenant-ID',
-	['Permission to validate', 'Another permission to validate']],
+  authInfo,
+  'my-tenant-ID',
+  ['Permission to validate', 'Another permission to validate'],
 );
 ```
@@ -525,7 +525,7 @@ const descopeClient = DescopeClient({
 ### Manage Tenants
-You can create, update, delete or load tenants:
+You can create, update, delete or load tenants, as well as read and update tenant settings:
 ```typescript
 // The self provisioning domains or optional. If given they'll be used to associate
@@ -564,6 +564,102 @@ const searchRes = await descopeClient.management.tenant.searchAll(['id']);
 searchRes.data.forEach((tenant) => {
   // do something
 });
+// Load tenant settings by id
+const tenantSettings = await descopeClient.management.tenant.getSettings('my-tenant-id');
+// Update will override all fields as is. Use carefully.
+await descopeClient.management.tenant.configureSettings('my-tenant-id', {
+  domains: ['domain1.com'],
+  selfProvisioningDomains: ['domain1.com'],
+  sessionSettingsEnabled: true,
+  refreshTokenExpiration: 12,
+  refreshTokenExpirationUnit: 'days',
+  sessionTokenExpiration: 10,
+  sessionTokenExpirationUnit: 'minutes',
+  enableInactivity: true,
+  JITDisabled: false,
+  InactivityTime: 10,
+  InactivityTimeUnit: 'minutes',
+});
+```
+### Manage Password
+You can read and update any tenant password settings and policy:
+```typescript
+// Load tenant password settings by id
+const passwordSettings = await descopeClient.management.password.getSettings('my-tenant-id');
+// Update will override all fields as is. Use carefully.
+await descopeClient.management.password.configureSettings('my-tenant-id', {
+  enabled: true,
+  minLength: 8,
+  expiration: true,
+  expirationWeeks: 4,
+  lock: true,
+  lockAttempts: 5,
+  reuse: true,
+  reuseAmount: 6,
+  lowercase: true,
+  uppercase: false,
+  number: true,
+  nonAlphaNumeric: false,
+});
+```
+### Manage SSO applications
+You can create, update, delete or load SSO applications:
+```typescript
+// Create OIDC sso application
+await descopeClient.management.ssoApplication.createOidcApplication({
+  name: 'My OIDC app name',
+  loginPageUrl: 'http://dummy.com/login',
+});
+// Create SAML sso application
+await descopeClient.management.ssoApplication.createSamlApplication({
+  name: 'My SAML app name',
+  loginPageUrl: 'http://dummy.com/login',
+  useMetadataInfo: true,
+  metadataUrl: 'http://dummy.com/metadata',
+});
+// Update OIDC sso application.
+// Update will override all fields as is. Use carefully.
+await descopeClient.management.ssoApplication.updateOidcApplication({
+  id: 'my-app-id',
+  name: 'My OIDC app name',
+  loginPageUrl: 'http://dummy.com/login',
+});
+// Update SAML sso application.
+// Update will override all fields as is. Use carefully.
+await descopeClient.management.ssoApplication.updateSamlApplication({
+  id: 'my-app-id',
+  name: 'My SAML app name',
+  loginPageUrl: 'http://dummy.com/login',
+  enabled: true,
+  useMetadataInfo: false,
+  entityId: 'entity1234',
+  aceUrl: 'http://dummy.com/acs',
+  certificate: 'certificate',
+});
+// Tenant deletion cannot be undone. Use carefully.
+await descopeClient.management.ssoApplication.delete('my-app-id');
+// Load sso application by id
+const app = await descopeClient.management.ssoApplication.load('my-app-id');
+// Load all sso applications
+const appsRes = await descopeClient.management.ssoApplication.loadAll();
+appsRes.data.forEach((app) => {
+  // do something
+});
 ```
 ### Manage Users
@@ -574,30 +670,25 @@ You can create, update, delete or load users, as well as search according to fil
 // A user must have a login ID, other fields are optional.
 // Roles should be set directly if no tenants exist, otherwise set
 // on a per-tenant basis.
-await descopeClient.management.user.create(
-  'desmond@descope.com',
-  'desmond@descope.com',
-  null,
-  'Desmond Copeland',
-  null,
-  [{ tenantId: 'tenant-ID1', roleNames: ['role-name1'] }],
-);
+await descopeClient.management.user.create('desmond@descope.com', {
+  email: 'desmond@descope.com',
+  displayName: 'Desmond Copeland',
+  userTenants: [{ tenantId: 'tenant-ID1', roleNames: ['role-name1'] }],
+});
 // Alternatively, a user can be created and invited via an email / text message.
 // Make sure to configure the invite URL in the Descope console prior to using this function,
 // and that an email address / phone number is provided in the information.
-await descopeClient.management.user.invite(
-  'desmond@descope.com',
-  'desmond@descope.com',
-  null,
-  'Desmond Copeland',
-  null,
-  [{ tenantId: 'tenant-ID1', roleNames: ['role-name1'] }],
-);
+await descopeClient.management.user.invite('desmond@descope.com', {
+  email: 'desmond@descope.com',
+  displayName: 'Desmond Copeland',
+  userTenants: [{ tenantId: 'tenant-ID1', roleNames: ['role-name1'] }],
+});
 // You can invite batch of users via an email / text message.
 // Make sure to configure the invite URL in the Descope console prior to using this function,
-// and that an email address / phone number is provided in the information.
+// and that an email address / phone number is provided in the information. You can also set
+// a cleartext password or import a prehashed one from another service.
 await descopeClient.management.user.inviteBatch(
   [
     {
@@ -606,6 +697,11 @@ await descopeClient.management.user.inviteBatch(
       phone: '+123456789123',
       displayName: 'Desmond Copeland',
       userTenants: [{ tenantId: 'tenant-ID1', roleNames: ['role-name1'] }],
+      hashedPassword: {
+        bcrypt: {
+          hash: '$2a$...',
+        },
+      },
     },
   ],
   '<invite_url>',
@@ -614,14 +710,11 @@ await descopeClient.management.user.inviteBatch(
 );
 // Update will override all fields as is. Use carefully.
-await descopeClient.management.user.update(
-  'desmond@descope.com',
-  'desmond@descope.com',
-  null,
-  'Desmond Copeland',
-  null,
-  [{ tenantId: 'tenant-ID1', roleNames: ['role-name1', 'role-name2'] }],
-);
+await descopeClient.management.user.update('desmond@descope.com', {
+  email: 'desmond@descope.com',
+  displayName: 'Desmond Copeland',
+  userTenants: [{ tenantId: 'tenant-ID1', roleNames: ['role-name1'] }],
+});
 // Update explicit data for a user rather than overriding all fields
 await descopeClient.management.user.updatePhone('desmond@descope.com', '+18005551234', true);
@@ -643,25 +736,35 @@ const userRes = await descopeClient.management.user.loadByUserId('<user-ID>');
 // Search all users, optionally according to tenant and/or role filter
 // Results can be paginated using the limit and page parameters
-const usersRes = await descopeClient.management.user.searchAll(['tenant-ID']);
+const usersRes = await descopeClient.management.user.search({ tenantIds: ['tenant-ID'] });
 usersRes.data.forEach((user) => {
   // do something
 });
 await descopeClient.management.user.logoutUser('my-custom-id');
-await descopeClient.management.tenant.logoutUserByUserId('<user-ID>');
+await descopeClient.management.user.logoutUserByUserId('<user-ID>');
+// Get users' authentication history
+const userIds = ['user-id-1', 'user-id-2'];
+const usersHistoryRes = await descopeClient.management.user.history(userIds);
+usersHistoryRes.forEach((userHistory) => {
+  // do something
+});
 ```
 #### Set or Expire User Password
-You can set or expire a user's password.
-Note: When setting a password, it will automatically be set as expired.
-The user will not be able log-in using an expired password, and will be required replace it on next login.
+You can set a new active password for a user that they can sign in with.
+You can also set a temporary password that they user will be forced to change on the next login.
+For a user that already has an active password, you can expire their current password, effectively requiring them to change it on the next login.
 ```typescript
+// Set a user's temporary password
+await descopeClient.management.user.setTemporaryPassword('<login-ID>', '<some-password>');
 // Set a user's password
-await descopeClient.management.user.setPassword('<login-ID>', '<some-password>');
+await descopeClient.management.user.setActivePassword('<login-ID>', '<some-password>');
 // Or alternatively, expire a user password
 await descopeClient.management.user.expirePassword('<login-ID>');
@@ -680,6 +783,18 @@ await descopeClient.management.project.updateName('new-project-name');
 const cloneRes = await descopeClient.management.project.clone('new-project-name');
 ```
+You can manage your project's settings and configurations by exporting your
+project's environment. You can also import previously exported data into
+the same project or a different one.
+```typescript
+// Exports the current state of the project
+const files = await descopeClient.management.project.export();
+// Import the previously exported data into the current project
+await descopeClient.management.project.import(files);
+```
 ### Manage Access Keys
 You can create, update, delete or load access keys, as well as search according to filters:
@@ -688,6 +803,7 @@ You can create, update, delete or load access keys, as well as search according
 // An access key must have a name and expiration, other fields are optional.
 // Roles should be set directly if no tenants exist, otherwise set
 // on a per-tenant basis.
+// If userId is supplied, then authorization would be ignored, and access key would be bound to the users authorization
 await descopeClient.management.accessKey.create(
   'key-name',
   123456789, // expiration time
@@ -723,19 +839,25 @@ You can manage SSO settings and map SSO group roles and user attributes.
 ```typescript
 // You can get SSO settings for a specific tenant ID
-const ssoSettings = await descopeClient.management.sso.getSettings("tenant-id")
+const ssoSettings = await descopeClient.management.sso.loadSettings("tenant-id")
 // You can configure SSO settings manually by setting the required fields directly
 const tenantId = 'tenant-id' // Which tenant this configuration is for
 const idpURL = 'https://idp.com'
 const entityID = 'my-idp-entity-id'
 const idpCert = '<your-cert-here>'
-const redirectURL = 'https://my-app.com/handle-saml' // Global redirect URL for SSO/SAML
+const redirectURL = 'https://my-app.com/handle-sso' // Global redirect URL for SSO/SAML
 const domains = ['tenant-users.com'] // Users authentication with this domain will be logged in to this tenant
-await descopeClient.management.sso.configureSettings(tenantID, idpURL, entityID, idpCert, redirectURL, domains)
+await descopeClient.management.sso.configureSAMLSettings(tenantID, {idpURL, entityID, idpCert}, redirectURL, domains)
 // Alternatively, configure using an SSO metadata URL
-await descopeClient.management.sso.configureMetadata(tenantID, 'https://idp.com/my-idp-metadata', redirectURL, domains)
+await descopeClient.management.sso.configureSAMLByMetadata(tenantID, {idpMetadataUrl: 'https://idp.com/my-idp-metadata'}, redirectURL, domains)
+// In case SSO is configured to work with OIDC use the following
+const name = 'some-name';
+const clientId = 'client id of OIDC';
+const clientSecret =  'client secret';
+await descopeClient.management.sso.configureOIDCSettings(tenantID, {name, clientId, clientSecret, redirectUrl}, domains)
 // Map IDP groups to Descope roles, or map user attributes.
 // This function overrides any previous mapping (even when empty). Use carefully.
@@ -788,19 +910,21 @@ You can create, update, delete or load roles:
 ```typescript
 // You can optionally set a description and associated permission for a roles.
+// The optional `tenantId` will scope this role for a specific tenant. If left empty, the role will be available to all tenants.
 const name = 'My Role';
+const tenantId = '<tenant id>';
 let description = 'Optional description to briefly explain what this role allows.';
 const permissionNames = ['My Updated Permission'];
-descopeClient.management.role.create(name, description, permissionNames);
+descopeClient.management.role.create(name, description, permissionNames, tenantId);
 // Update will override all fields as is. Use carefully.
 const newName = 'My Updated Role';
 description = 'A revised description';
 permissionNames.push('Another Permission');
-descopeClient.management.role.update(name, newName, description, permissionNames);
+descopeClient.management.role.update(name, newName, description, permissionNames, tenantId);
 // Role deletion cannot be undone. Use carefully.
-descopeClient.management.role.delete(newName);
+descopeClient.management.role.delete(newName, tenantId);
 // Load all roles
 const rolesRes = await descopeClient.management.role.loadAll();
@@ -849,6 +973,10 @@ console.log('found total flows', res.total);
 res.flows.forEach((flowMetadata) => {
   // do something
 });
+// Delete flows by ids
+await descopeClient.management.flow.delete(['flow-1', 'flow-2']);
 // Export the flow and it's matching screens based on the given id
 const res = await descopeClient.management.flow.export('sign-up');
 console.log('found flow', res.data.flow);
@@ -884,6 +1012,20 @@ const updatedJWTRes = await descopeClient.management.jwt.update('original-jwt',
 });
 ```
+### Impersonate
+You can impersonate to another user
+The impersonator user must have the `impersonation` permission in order for this request to work.
+The response would be a refresh JWT of the impersonated user
+```typescript
+const updatedJWTRes = await descopeClient.management.jwt.impersonate(
+  'impersonator-id',
+  'login-id',
+  true,
+);
+```
 Note 1: The generate code/link functions, work only for test users, will not work for regular users.
 Note 2: In case of testing sign-in / sign-up operations with test users, need to make sure to generate the code prior calling the sign-in / sign-up operations.
@@ -1105,14 +1247,11 @@ that way, you don't need to use 3rd party messaging services in order to receive
 // Test user must have a loginId, other fields are optional.
 // Roles should be set directly if no tenants exist, otherwise set
 // on a per-tenant basis.
-await descopeClient.management.user.createTestUser(
-  'desmond@descope.com',
-  'desmond@descope.com',
-  null,
-  'Desmond Copeland',
-  null,
-  [{ tenantId: 'tenant-ID1', roleNames: ['role-name1'] }],
-);
+await descopeClient.management.user.createTestUser('desmond@descope.com', {
+  email: 'desmond@descope.com',
+  displayName: 'Desmond Copeland',
+  userTenants: [{ tenantId: 'tenant-ID1', roleNames: ['role-name1'] }],
+});
 // Now test user got created, and this user will be available until you delete it,
 // you can use any management operation for test user CRUD.
@@ -1143,7 +1282,7 @@ const { link, pendingRef } = await descopeClient.management.user.generateEnchant
 ## Code Examples
-You can find various usage examples in the [examples folder](https://github.com/descope/node-sdk/blob/main/examples).
+You can find various usage examples in the [examples folder](/examples).
 ### Setup

package/dist/cjs/index.cjs.js CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0});var e=require("tslib"),t=require("@descope/core-js-sdk"),s=require("jose"),n=require("cross-fetch");function o(e){return e&&"object"==typeof e&&"default"in e?e:{default:e}}var a=o(t);const r=t=>async(...s)=>{var n,o,a;const r=await t(...s);if(!r.data)return r;let i=r.data,{refreshJwt:l}=i,m=e.__rest(i,["refreshJwt"]);const d=[];var p;return l?d.push(`${"DSR"}=${l}; Domain=${(null==(p=m)?void 0:p.cookieDomain)||""}; Max-Age=${(null==p?void 0:p.cookieMaxAge)||""}; Path=${(null==p?void 0:p.cookiePath)||"/"}; HttpOnly; SameSite=Strict`):(null===(n=r.response)||void 0===n?void 0:n.headers.get("set-cookie"))&&(l=((e,t)=>{const s=null==e?void 0:e.match(RegExp(`(?:^|;\\s*)${t}=([^;]*)`));return s?s[1]:null})(null===(o=r.response)||void 0===o?void 0:o.headers.get("set-cookie"),"DSR"),d.push(null===(a=r.response)||void 0===a?void 0:a.headers.get("set-cookie"))),Object.assign(Object.assign({},r),{data:Object.assign(Object.assign({},r.data),{refreshJwt:l,cookies:d})})};function i(e,t,s){var n,o;const a=s?null===(o=null===(n=e.token.tenants)||void 0===n?void 0:n[s])||void 0===o?void 0:o[t]:e.token[t];return Array.isArray(a)?a:[]}function l(e,t){var s;return!!(null===(s=e.token.tenants)||void 0===s?void 0:s[t])}var m={create:"/v1/mgmt/user/create",createBatch:"/v1/mgmt/user/create/batch",update:"/v1/mgmt/user/update",delete:"/v1/mgmt/user/delete",deleteAllTestUsers:"/v1/mgmt/user/test/delete/all",load:"/v1/mgmt/user",logout:"/v1/mgmt/user/logout",search:"/v1/mgmt/user/search",getProviderToken:"/v1/mgmt/user/provider/token",updateStatus:"/v1/mgmt/user/update/status",updateLoginId:"/v1/mgmt/user/update/loginid",updateEmail:"/v1/mgmt/user/update/email",updatePhone:"/v1/mgmt/user/update/phone",updateDisplayName:"/v1/mgmt/user/update/name",updatePicture:"/v1/mgmt/user/update/picture",updateCustomAttribute:"/v1/mgmt/user/update/customAttribute",setRole:"/v1/mgmt/user/update/role/set",addRole:"/v1/mgmt/user/update/role/add",removeRole:"/v1/mgmt/user/update/role/remove",addTenant:"/v1/mgmt/user/update/tenant/add",removeTenant:"/v1/mgmt/user/update/tenant/remove",setPassword:"/v1/mgmt/user/password/set",expirePassword:"/v1/mgmt/user/password/expire",generateOTPForTest:"/v1/mgmt/tests/generate/otp",generateMagicLinkForTest:"/v1/mgmt/tests/generate/magiclink",generateEnchantedLinkForTest:"/v1/mgmt/tests/generate/enchantedlink",generateEmbeddedLink:"/v1/mgmt/user/signin/embeddedlink"},d={updateName:"/v1/mgmt/project/update/name",clone:"/v1/mgmt/project/clone"},p={create:"/v1/mgmt/accesskey/create",load:"/v1/mgmt/accesskey",search:"/v1/mgmt/accesskey/search",update:"/v1/mgmt/accesskey/update",deactivate:"/v1/mgmt/accesskey/deactivate",activate:"/v1/mgmt/accesskey/activate",delete:"/v1/mgmt/accesskey/delete"},u={create:"/v1/mgmt/tenant/create",update:"/v1/mgmt/tenant/update",delete:"/v1/mgmt/tenant/delete",load:"/v1/mgmt/tenant",loadAll:"/v1/mgmt/tenant/all",searchAll:"/v1/mgmt/tenant/search"},c={settings:"/v1/mgmt/sso/settings",metadata:"/v1/mgmt/sso/metadata",mapping:"/v1/mgmt/sso/mapping"},g={update:"/v1/mgmt/jwt/update"},h={create:"/v1/mgmt/permission/create",update:"/v1/mgmt/permission/update",delete:"/v1/mgmt/permission/delete",loadAll:"/v1/mgmt/permission/all"},v={create:"/v1/mgmt/role/create",update:"/v1/mgmt/role/update",delete:"/v1/mgmt/role/delete",loadAll:"/v1/mgmt/role/all"},f={list:"/v1/mgmt/flow/list",export:"/v1/mgmt/flow/export",import:"/v1/mgmt/flow/import"},k={export:"/v1/mgmt/theme/export",import:"/v1/mgmt/theme/import"},R={loadAllGroups:"/v1/mgmt/group/all",loadAllGroupsForMember:"/v1/mgmt/group/member/all",loadAllGroupMembers:"/v1/mgmt/group/members"},C={search:"/v1/mgmt/audit/search"},y={schemaSave:"/v1/mgmt/authz/schema/save",schemaDelete:"/v1/mgmt/authz/schema/delete",schemaLoad:"/v1/mgmt/authz/schema/load",nsSave:"/v1/mgmt/authz/ns/save",nsDelete:"/v1/mgmt/authz/ns/delete",rdSave:"/v1/mgmt/authz/rd/save",rdDelete:"/v1/mgmt/authz/rd/delete",reCreate:"/v1/mgmt/authz/re/create",reDelete:"/v1/mgmt/authz/re/delete",reDeleteResources:"/v1/mgmt/authz/re/deleteresources",hasRelations:"/v1/mgmt/authz/re/has",who:"/v1/mgmt/authz/re/who",resource:"/v1/mgmt/authz/re/resource",targets:"/v1/mgmt/authz/re/targets",targetAll:"/v1/mgmt/authz/re/targetall"};const w=(e,s)=>({create:(n,o,a,r,i,l,d,p,u,c,g,h,v,f)=>t.transformResponse(e.httpClient.post(m.create,{loginId:n,email:o,phone:a,displayName:r,givenName:g,middleName:h,familyName:v,roleNames:i,userTenants:l,customAttributes:d,picture:p,verifiedEmail:u,verifiedPhone:c,additionalLoginIds:f},{token:s}),(e=>e.user)),createTestUser:(n,o,a,r,i,l,d,p,u,c,g,h,v,f)=>t.transformResponse(e.httpClient.post(m.create,{loginId:n,email:o,phone:a,displayName:r,givenName:g,middleName:h,familyName:v,roleNames:i,userTenants:l,test:!0,customAttributes:d,picture:p,verifiedEmail:u,verifiedPhone:c,additionalLoginIds:f},{token:s}),(e=>e.user)),invite:(n,o,a,r,i,l,d,p,u,c,g,h,v,f,k,R,C)=>t.transformResponse(e.httpClient.post(m.create,{loginId:n,email:o,phone:a,displayName:r,givenName:f,middleName:k,familyName:R,roleNames:i,userTenants:l,invite:!0,customAttributes:d,picture:p,verifiedEmail:u,verifiedPhone:c,inviteUrl:g,sendMail:h,sendSMS:v,additionalLoginIds:C},{token:s}),(e=>e.user)),inviteBatch:(n,o,a,r)=>t.transformResponse(e.httpClient.post(m.createBatch,{users:n,invite:!0,inviteUrl:o,sendMail:a,sendSMS:r},{token:s}),(e=>e)),update:(n,o,a,r,i,l,d,p,u,c,g,h,v,f)=>t.transformResponse(e.httpClient.post(m.update,{loginId:n,email:o,phone:a,displayName:r,givenName:g,middleName:h,familyName:v,roleNames:i,userTenants:l,customAttributes:d,picture:p,verifiedEmail:u,verifiedPhone:c,additionalLoginIds:f},{token:s}),(e=>e.user)),delete:n=>t.transformResponse(e.httpClient.post(m.delete,{loginId:n},{token:s})),deleteAllTestUsers:()=>t.transformResponse(e.httpClient.delete(m.deleteAllTestUsers,{token:s})),load:n=>t.transformResponse(e.httpClient.get(m.load,{queryParams:{loginId:n},token:s}),(e=>e.user)),loadByUserId:n=>t.transformResponse(e.httpClient.get(m.load,{queryParams:{userId:n},token:s}),(e=>e.user)),logoutUser:n=>t.transformResponse(e.httpClient.post(m.logout,{loginId:n},{token:s})),logoutUserByUserId:n=>t.transformResponse(e.httpClient.post(m.logout,{userId:n},{token:s})),searchAll:(n,o,a,r,i,l,d,p,u,c)=>t.transformResponse(e.httpClient.post(m.search,{tenantIds:n,roleNames:o,limit:a,page:r,testUsersOnly:i,withTestUser:l,customAttributes:d,statuses:p,emails:u,phones:c},{token:s}),(e=>e.users)),getProviderToken:(n,o)=>t.transformResponse(e.httpClient.get(m.getProviderToken,{queryParams:{loginId:n,provider:o},token:s}),(e=>e)),activate:n=>t.transformResponse(e.httpClient.post(m.updateStatus,{loginId:n,status:"enabled"},{token:s}),(e=>e.user)),deactivate:n=>t.transformResponse(e.httpClient.post(m.updateStatus,{loginId:n,status:"disabled"},{token:s}),(e=>e.user)),updateLoginId:(n,o)=>t.transformResponse(e.httpClient.post(m.updateLoginId,{loginId:n,newLoginId:o},{token:s}),(e=>e.user)),updateEmail:(n,o,a)=>t.transformResponse(e.httpClient.post(m.updateEmail,{loginId:n,email:o,verified:a},{token:s}),(e=>e.user)),updatePhone:(n,o,a)=>t.transformResponse(e.httpClient.post(m.updatePhone,{loginId:n,phone:o,verified:a},{token:s}),(e=>e.user)),updateDisplayName:(n,o,a,r,i)=>t.transformResponse(e.httpClient.post(m.updateDisplayName,{loginId:n,displayName:o,givenName:a,middleName:r,familyName:i},{token:s}),(e=>e.user)),updatePicture:(n,o)=>t.transformResponse(e.httpClient.post(m.updatePicture,{loginId:n,picture:o},{token:s}),(e=>e.user)),updateCustomAttribute:(n,o,a)=>t.transformResponse(e.httpClient.post(m.updateCustomAttribute,{loginId:n,attributeKey:o,attributeValue:a},{token:s}),(e=>e.user)),setRoles:(n,o)=>t.transformResponse(e.httpClient.post(m.setRole,{loginId:n,roleNames:o},{token:s}),(e=>e.user)),addRoles:(n,o)=>t.transformResponse(e.httpClient.post(m.addRole,{loginId:n,roleNames:o},{token:s}),(e=>e.user)),removeRoles:(n,o)=>t.transformResponse(e.httpClient.post(m.removeRole,{loginId:n,roleNames:o},{token:s}),(e=>e.user)),addTenant:(n,o)=>t.transformResponse(e.httpClient.post(m.addTenant,{loginId:n,tenantId:o},{token:s}),(e=>e.user)),removeTenant:(n,o)=>t.transformResponse(e.httpClient.post(m.removeTenant,{loginId:n,tenantId:o},{token:s}),(e=>e.user)),setTenantRoles:(n,o,a)=>t.transformResponse(e.httpClient.post(m.setRole,{loginId:n,tenantId:o,roleNames:a},{token:s}),(e=>e.user)),addTenantRoles:(n,o,a)=>t.transformResponse(e.httpClient.post(m.addRole,{loginId:n,tenantId:o,roleNames:a},{token:s}),(e=>e.user)),removeTenantRoles:(n,o,a)=>t.transformResponse(e.httpClient.post(m.removeRole,{loginId:n,tenantId:o,roleNames:a},{token:s}),(e=>e.user)),generateOTPForTestUser:(n,o,a)=>t.transformResponse(e.httpClient.post(m.generateOTPForTest,{deliveryMethod:n,loginId:o,loginOptions:a},{token:s}),(e=>e)),generateMagicLinkForTestUser:(n,o,a,r)=>t.transformResponse(e.httpClient.post(m.generateMagicLinkForTest,{deliveryMethod:n,loginId:o,URI:a,loginOptions:r},{token:s}),(e=>e)),generateEnchantedLinkForTestUser:(n,o,a)=>t.transformResponse(e.httpClient.post(m.generateEnchantedLinkForTest,{loginId:n,URI:o,loginOptions:a},{token:s}),(e=>e)),generateEmbeddedLink:(n,o)=>t.transformResponse(e.httpClient.post(m.generateEmbeddedLink,{loginId:n,customClaims:o},{token:s}),(e=>e)),setPassword:(n,o)=>t.transformResponse(e.httpClient.post(m.setPassword,{loginId:n,password:o},{token:s}),(e=>e)),expirePassword:n=>t.transformResponse(e.httpClient.post(m.expirePassword,{loginId:n},{token:s}),(e=>e))}),I=(e,s)=>({updateName:n=>t.transformResponse(e.httpClient.post(d.updateName,{name:n},{token:s})),clone:(n,o)=>t.transformResponse(e.httpClient.post(d.clone,{name:n,tag:o},{token:s}))}),b=(e,s)=>({create:(n,o,a)=>t.transformResponse(e.httpClient.post(u.create,{name:n,selfProvisioningDomains:o,customAttributes:a},{token:s})),createWithId:(n,o,a,r)=>t.transformResponse(e.httpClient.post(u.create,{id:n,name:o,selfProvisioningDomains:a,customAttributes:r},{token:s})),update:(n,o,a,r)=>t.transformResponse(e.httpClient.post(u.update,{id:n,name:o,selfProvisioningDomains:a,customAttributes:r},{token:s})),delete:n=>t.transformResponse(e.httpClient.post(u.delete,{id:n},{token:s})),load:n=>t.transformResponse(e.httpClient.get(u.load,{queryParams:{id:n},token:s}),(e=>e)),loadAll:()=>t.transformResponse(e.httpClient.get(u.loadAll,{token:s}),(e=>e.tenants)),searchAll:(n,o,a,r)=>t.transformResponse(e.httpClient.post(u.searchAll,{tenantIds:n,tenantNames:o,tenantSelfProvisioningDomains:a,customAttributes:r},{token:s}),(e=>e.tenants))}),N=(e,s)=>({update:(n,o)=>t.transformResponse(e.httpClient.post(g.update,{jwt:n,customClaims:o},{token:s}))}),A=(e,s)=>({create:(n,o)=>t.transformResponse(e.httpClient.post(h.create,{name:n,description:o},{token:s})),update:(n,o,a)=>t.transformResponse(e.httpClient.post(h.update,{name:n,newName:o,description:a},{token:s})),delete:n=>t.transformResponse(e.httpClient.post(h.delete,{name:n},{token:s})),loadAll:()=>t.transformResponse(e.httpClient.get(h.loadAll,{token:s}),(e=>e.permissions))}),T=(e,s)=>({create:(n,o,a)=>t.transformResponse(e.httpClient.post(v.create,{name:n,description:o,permissionNames:a},{token:s})),update:(n,o,a,r)=>t.transformResponse(e.httpClient.post(v.update,{name:n,newName:o,description:a,permissionNames:r},{token:s})),delete:n=>t.transformResponse(e.httpClient.post(v.delete,{name:n},{token:s})),loadAll:()=>t.transformResponse(e.httpClient.get(v.loadAll,{token:s}),(e=>e.roles))}),P=(e,s)=>({loadAllGroups:n=>t.transformResponse(e.httpClient.post(R.loadAllGroups,{tenantId:n},{token:s})),loadAllGroupsForMember:(n,o,a)=>t.transformResponse(e.httpClient.post(R.loadAllGroupsForMember,{tenantId:n,loginIds:a,userIds:o},{token:s})),loadAllGroupMembers:(n,o)=>t.transformResponse(e.httpClient.post(R.loadAllGroupMembers,{tenantId:n,groupId:o},{token:s}))}),E=(e,s)=>({getSettings:n=>t.transformResponse(e.httpClient.get(c.settings,{queryParams:{tenantId:n},token:s}),(e=>e)),deleteSettings:n=>t.transformResponse(e.httpClient.delete(c.settings,{queryParams:{tenantId:n},token:s})),configureSettings:(n,o,a,r,i,l)=>t.transformResponse(e.httpClient.post(c.settings,{tenantId:n,idpURL:o,entityId:r,idpCert:a,redirectURL:i,domains:l},{token:s})),configureMetadata:(n,o,a,r)=>t.transformResponse(e.httpClient.post(c.metadata,{tenantId:n,idpMetadataURL:o,redirectURL:a,domains:r},{token:s})),configureMapping:(n,o,a)=>t.transformResponse(e.httpClient.post(c.mapping,{tenantId:n,roleMappings:o,attributeMapping:a},{token:s}))}),x=(e,s)=>({create:(n,o,a,r)=>t.transformResponse(e.httpClient.post(p.create,{name:n,expireTime:o,roleNames:a,keyTenants:r},{token:s})),load:n=>t.transformResponse(e.httpClient.get(p.load,{queryParams:{id:n},token:s}),(e=>e.key)),searchAll:n=>t.transformResponse(e.httpClient.post(p.search,{tenantIds:n},{token:s}),(e=>e.keys)),update:(n,o)=>t.transformResponse(e.httpClient.post(p.update,{id:n,name:o},{token:s}),(e=>e.key)),deactivate:n=>t.transformResponse(e.httpClient.post(p.deactivate,{id:n},{token:s})),activate:n=>t.transformResponse(e.httpClient.post(p.activate,{id:n},{token:s})),delete:n=>t.transformResponse(e.httpClient.post(p.delete,{id:n},{token:s}))}),S=(e,s)=>({list:()=>t.transformResponse(e.httpClient.post(f.list,{},{token:s})),export:n=>t.transformResponse(e.httpClient.post(f.export,{flowId:n},{token:s})),import:(n,o,a)=>t.transformResponse(e.httpClient.post(f.import,{flowId:n,flow:o,screens:a},{token:s}))}),j=(e,s)=>({export:()=>t.transformResponse(e.httpClient.post(k.export,{},{token:s})),import:n=>t.transformResponse(e.httpClient.post(k.import,{theme:n},{token:s}))}),M=(e,s)=>({search:n=>{const o=Object.assign(Object.assign({},n),{externalIds:n.loginIds});return delete o.loginIds,t.transformResponse(e.httpClient.post(C.search,o,{token:s}),(e=>null==e?void 0:e.audits.map((e=>{const t=Object.assign(Object.assign({},e),{occurred:parseFloat(e.occurred),loginIds:e.externalIds});return delete t.externalIds,t}))))}}),O=(e,s)=>({saveSchema:(n,o)=>t.transformResponse(e.httpClient.post(y.schemaSave,{schema:n,upgrade:o},{token:s})),deleteSchema:()=>t.transformResponse(e.httpClient.post(y.schemaDelete,{},{token:s})),loadSchema:()=>t.transformResponse(e.httpClient.post(y.schemaLoad,{},{token:s}),(e=>e.schema)),saveNamespace:(n,o,a)=>t.transformResponse(e.httpClient.post(y.nsSave,{namespace:n,oldName:o,schemaName:a},{token:s})),deleteNamespace:(n,o)=>t.transformResponse(e.httpClient.post(y.nsDelete,{name:n,schemaName:o},{token:s})),saveRelationDefinition:(n,o,a,r)=>t.transformResponse(e.httpClient.post(y.rdSave,{relationDefinition:n,namespace:o,oldName:a,schemaName:r},{token:s})),deleteRelationDefinition:(n,o,a)=>t.transformResponse(e.httpClient.post(y.rdDelete,{name:n,namespace:o,schemaName:a},{token:s})),createRelations:n=>t.transformResponse(e.httpClient.post(y.reCreate,{relations:n},{token:s})),deleteRelations:n=>t.transformResponse(e.httpClient.post(y.reDelete,{relations:n},{token:s})),deleteRelationsForResources:n=>t.transformResponse(e.httpClient.post(y.reDeleteResources,{resources:n},{token:s})),hasRelations:n=>t.transformResponse(e.httpClient.post(y.hasRelations,{relationQueries:n},{token:s}),(e=>e.relationQueries)),whoCanAccess:(n,o,a)=>t.transformResponse(e.httpClient.post(y.who,{resource:n,relationDefinition:o,namespace:a},{token:s}),(e=>e.targets)),resourceRelations:n=>t.transformResponse(e.httpClient.post(y.resource,{resource:n},{token:s}),(e=>e.relations)),targetsRelations:n=>t.transformResponse(e.httpClient.post(y.targets,{targets:n},{token:s}),(e=>e.relations)),whatCanTargetAccess:n=>t.transformResponse(e.httpClient.post(y.targetAll,{target:n},{token:s}),(e=>e.relations))});var D;null!==(D=globalThis.Headers)&&void 0!==D||(globalThis.Headers=n.Headers);const L=(...e)=>(e.forEach((e=>{var t,s;e&&(null!==(t=(s=e).highWaterMark)&&void 0!==t||(s.highWaterMark=31457280))})),n.fetch(...e)),U=n=>{var o,{managementKey:m,publicKey:d}=n,p=e.__rest(n,["managementKey","publicKey"]);const u=a.default(Object.assign(Object.assign({fetch:L},p),{baseHeaders:Object.assign(Object.assign({},p.baseHeaders),{"x-descope-sdk-name":"nodejs","x-descope-sdk-node-version":(null===(o=null===process||void 0===process?void 0:process.versions)||void 0===o?void 0:o.node)||"","x-descope-sdk-version":"1.6.2"})})),{projectId:c,logger:g}=p,h={},v=((e,t)=>({user:w(e,t),project:I(e,t),accessKey:x(e,t),tenant:b(e,t),sso:E(e,t),jwt:N(e,t),permission:A(e,t),role:T(e,t),group:P(e,t),flow:S(e,t),theme:j(e,t),audit:M(e,t),authz:O(e,t)}))(u,m),f=Object.assign(Object.assign({},u),{management:v,async getKey(e){if(!(null==e?void 0:e.kid))throw Error("header.kid must not be empty");if(h[e.kid])return h[e.kid];if(Object.assign(h,await(async()=>{if(d)try{const e=JSON.parse(d),t=await s.importJWK(e);return{[e.kid]:t}}catch(e){throw null==g||g.error("Failed to parse the provided public key",e),new Error(`Failed to parse public key. Error: ${e}`)}const e=(await u.httpClient.get(`v2/keys/${c}`).then((e=>e.json()))).keys;return Array.isArray(e)?(await Promise.all(e.map((async e=>[e.kid,await s.importJWK(e)])))).reduce(((e,[t,s])=>t?Object.assign(Object.assign({},e),{[t.toString()]:s}):e),{}):{}})()),!h[e.kid])throw Error("failed to fetch matching key");return h[e.kid]},async validateJwt(e){var t;const n=(await s.jwtVerify(e,f.getKey,{clockTolerance:5})).payload;if(n&&(n.iss=null===(t=n.iss)||void 0===t?void 0:t.split("/").pop(),n.iss!==c))throw new s.errors.JWTClaimValidationFailed('unexpected "iss" claim value',"iss","check_failed");return{jwt:e,token:n}},async validateSession(e){if(!e)throw Error("session token is required for validation");try{return await f.validateJwt(e)}catch(e){throw null==g||g.error("session validation failed",e),Error(`session validation failed. Error: ${e}`)}},async refreshSession(e){var t,s;if(!e)throw Error("refresh token is required to refresh a session");try{await f.validateJwt(e);const n=await f.refresh(e);if(n.ok){return await f.validateJwt(null===(t=n.data)||void 0===t?void 0:t.sessionJwt)}throw Error(null===(s=n.error)||void 0===s?void 0:s.errorMessage)}catch(e){throw null==g||g.error("refresh token validation failed",e),Error(`refresh token validation failed, Error: ${e}`)}},async validateAndRefreshSession(e,t){if(!e&&!t)throw Error("both session and refresh tokens are empty");try{return await f.validateSession(e)}catch(e){null==g||g.log(`session validation failed with error ${e} - trying to refresh it`)}return f.refreshSession(t)},async exchangeAccessKey(e){if(!e)throw Error("access key must not be empty");let t;try{t=await f.accessKey.exchange(e)}catch(e){throw null==g||g.error("failed to exchange access key",e),Error(`could not exchange access key - Failed to exchange. Error: ${e}`)}const{sessionJwt:s}=t.data;if(!s)throw null==g||g.error("failed to parse exchange access key response"),Error("could not exchange access key");try{return await f.validateJwt(s)}catch(e){throw null==g||g.error("failed to parse jwt from access key",e),Error(`could not exchange access key - failed to validate jwt. Error: ${e}`)}},validatePermissions:(e,t)=>f.validateTenantPermissions(e,"",t),getMatchedPermissions:(e,t)=>f.getMatchedTenantPermissions(e,"",t),validateTenantPermissions(e,t,s){if(t&&!l(e,t))return!1;const n=i(e,"permissions",t);return s.every((e=>n.includes(e)))},getMatchedTenantPermissions(e,t,s){if(t&&!l(e,t))return[];const n=i(e,"permissions",t);return s.filter((e=>n.includes(e)))},validateRoles:(e,t)=>f.validateTenantRoles(e,"",t),getMatchedRoles:(e,t)=>f.getMatchedTenantRoles(e,"",t),validateTenantRoles(e,t,s){if(t&&!l(e,t))return!1;const n=i(e,"roles",t);return s.every((e=>n.includes(e)))},getMatchedTenantRoles(e,t,s){if(t&&!l(e,t))return[];const n=i(e,"roles",t);return s.filter((e=>n.includes(e)))}});return t.wrapWith(f,["otp.verify.email","otp.verify.sms","otp.verify.whatsapp","magicLink.verify","enchantedLink.signUp","enchantedLink.signIn","oauth.exchange","saml.exchange","totp.verify","webauthn.signIn.finish","webauthn.signUp.finish","refresh"],r)};U.RefreshTokenCookieName="DSR",U.SessionTokenCookieName="DS",exports.default=U,exports.descopeErrors={badRequest:"E011001",missingArguments:"E011002",invalidRequest:"E011003",invalidArguments:"E011004",wrongOTPCode:"E061102",tooManyOTPAttempts:"E061103",enchantedLinkPending:"E062503",userNotFound:"E062108"};
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0});var e=require("tslib"),t=require("@descope/core-js-sdk"),s=require("jose"),n=require("util"),o=require("cross-fetch");function a(e){return e&&"object"==typeof e&&"default"in e?e:{default:e}}var r=a(t);const i=t=>async(...s)=>{var n,o,a;const r=await t(...s);if(!r.data)return r;let i=r.data,{refreshJwt:l}=i,p=e.__rest(i,["refreshJwt"]);const d=[];var m;return l?d.push(`${"DSR"}=${l}; Domain=${(null==(m=p)?void 0:m.cookieDomain)||""}; Max-Age=${(null==m?void 0:m.cookieMaxAge)||""}; Path=${(null==m?void 0:m.cookiePath)||"/"}; HttpOnly; SameSite=Strict`):(null===(n=r.response)||void 0===n?void 0:n.headers.get("set-cookie"))&&(l=((e,t)=>{const s=null==e?void 0:e.match(RegExp(`(?:^|;\\s*)${t}=([^;]*)`));return s?s[1]:null})(null===(o=r.response)||void 0===o?void 0:o.headers.get("set-cookie"),"DSR"),d.push(null===(a=r.response)||void 0===a?void 0:a.headers.get("set-cookie"))),Object.assign(Object.assign({},r),{data:Object.assign(Object.assign({},r.data),{refreshJwt:l,cookies:d})})};function l(e,t,s){var n,o;const a=s?null===(o=null===(n=e.token.tenants)||void 0===n?void 0:n[s])||void 0===o?void 0:o[t]:e.token[t];return Array.isArray(a)?a:[]}function p(e,t){var s;return!!(null===(s=e.token.tenants)||void 0===s?void 0:s[t])}var d={create:"/v1/mgmt/user/create",createBatch:"/v1/mgmt/user/create/batch",update:"/v1/mgmt/user/update",delete:"/v1/mgmt/user/delete",deleteAllTestUsers:"/v1/mgmt/user/test/delete/all",load:"/v1/mgmt/user",logout:"/v1/mgmt/user/logout",search:"/v1/mgmt/user/search",getProviderToken:"/v1/mgmt/user/provider/token",updateStatus:"/v1/mgmt/user/update/status",updateLoginId:"/v1/mgmt/user/update/loginid",updateEmail:"/v1/mgmt/user/update/email",updatePhone:"/v1/mgmt/user/update/phone",updateDisplayName:"/v1/mgmt/user/update/name",updatePicture:"/v1/mgmt/user/update/picture",updateCustomAttribute:"/v1/mgmt/user/update/customAttribute",setRole:"/v1/mgmt/user/update/role/set",addRole:"/v1/mgmt/user/update/role/add",removeRole:"/v1/mgmt/user/update/role/remove",setSSOApps:"/v1/mgmt/user/update/ssoapp/set",addSSOApps:"/v1/mgmt/user/update/ssoapp/add",removeSSOApps:"/v1/mgmt/user/update/ssoapp/remove",addTenant:"/v1/mgmt/user/update/tenant/add",removeTenant:"/v1/mgmt/user/update/tenant/remove",setPassword:"/v1/mgmt/user/password/set",setTemporaryPassword:"/v1/mgmt/user/password/set/temporary",setActivePassword:"/v1/mgmt/user/password/set/active",expirePassword:"/v1/mgmt/user/password/expire",removeAllPasskeys:"/v1/mgmt/user/passkeys/delete",generateOTPForTest:"/v1/mgmt/tests/generate/otp",generateMagicLinkForTest:"/v1/mgmt/tests/generate/magiclink",generateEnchantedLinkForTest:"/v1/mgmt/tests/generate/enchantedlink",generateEmbeddedLink:"/v1/mgmt/user/signin/embeddedlink",history:"/v1/mgmt/user/history"},m={updateName:"/v1/mgmt/project/update/name",clone:"/v1/mgmt/project/clone",export:"/v1/mgmt/project/export",import:"/v1/mgmt/project/import"},c={create:"/v1/mgmt/accesskey/create",load:"/v1/mgmt/accesskey",search:"/v1/mgmt/accesskey/search",update:"/v1/mgmt/accesskey/update",deactivate:"/v1/mgmt/accesskey/deactivate",activate:"/v1/mgmt/accesskey/activate",delete:"/v1/mgmt/accesskey/delete"},g={create:"/v1/mgmt/tenant/create",update:"/v1/mgmt/tenant/update",delete:"/v1/mgmt/tenant/delete",load:"/v1/mgmt/tenant",settings:"/v1/mgmt/tenant/settings",loadAll:"/v1/mgmt/tenant/all",searchAll:"/v1/mgmt/tenant/search"},u={oidcCreate:"/v1/mgmt/sso/idp/app/oidc/create",samlCreate:"/v1/mgmt/sso/idp/app/saml/create",oidcUpdate:"/v1/mgmt/sso/idp/app/oidc/update",samlUpdate:"/v1/mgmt/sso/idp/app/saml/update",delete:"/v1/mgmt/sso/idp/app/delete",load:"/v1/mgmt/sso/idp/app/load",loadAll:"/v1/mgmt/sso/idp/apps/load"},h={settings:"/v1/mgmt/sso/settings",metadata:"/v1/mgmt/sso/metadata",mapping:"/v1/mgmt/sso/mapping",settingsv2:"/v2/mgmt/sso/settings",oidc:{configure:"/v1/mgmt/sso/oidc"},saml:{configure:"/v1/mgmt/sso/saml",metadata:"/v1/mgmt/sso/saml/metadata"}},v={update:"/v1/mgmt/jwt/update",impersonate:"/v1/mgmt/impersonate"},f={settings:"/v1/mgmt/password/settings"},k={create:"/v1/mgmt/permission/create",update:"/v1/mgmt/permission/update",delete:"/v1/mgmt/permission/delete",loadAll:"/v1/mgmt/permission/all"},R={create:"/v1/mgmt/role/create",update:"/v1/mgmt/role/update",delete:"/v1/mgmt/role/delete",loadAll:"/v1/mgmt/role/all"},C={list:"/v1/mgmt/flow/list",delete:"/v1/mgmt/flow/delete",export:"/v1/mgmt/flow/export",import:"/v1/mgmt/flow/import"},y={export:"/v1/mgmt/theme/export",import:"/v1/mgmt/theme/import"},I={loadAllGroups:"/v1/mgmt/group/all",loadAllGroupsForMember:"/v1/mgmt/group/member/all",loadAllGroupMembers:"/v1/mgmt/group/members"},b={search:"/v1/mgmt/audit/search"},w={schemaSave:"/v1/mgmt/authz/schema/save",schemaDelete:"/v1/mgmt/authz/schema/delete",schemaLoad:"/v1/mgmt/authz/schema/load",nsSave:"/v1/mgmt/authz/ns/save",nsDelete:"/v1/mgmt/authz/ns/delete",rdSave:"/v1/mgmt/authz/rd/save",rdDelete:"/v1/mgmt/authz/rd/delete",reCreate:"/v1/mgmt/authz/re/create",reDelete:"/v1/mgmt/authz/re/delete",reDeleteResources:"/v1/mgmt/authz/re/deleteresources",hasRelations:"/v1/mgmt/authz/re/has",who:"/v1/mgmt/authz/re/who",resource:"/v1/mgmt/authz/re/resource",targets:"/v1/mgmt/authz/re/targets",targetAll:"/v1/mgmt/authz/re/targetall",getModified:"/v1/mgmt/authz/getmodified"};const A=(e,s)=>({create:function(n,o,a,r,i,l,p,m,c,g,u,h,v,f){const k="string"==typeof o?{loginId:n,email:o,phone:a,displayName:r,givenName:u,middleName:h,familyName:v,roleNames:i,userTenants:l,customAttributes:p,picture:m,verifiedEmail:c,verifiedPhone:g,additionalLoginIds:f}:Object.assign(Object.assign({loginId:n},o),{roleNames:null==o?void 0:o.roles,roles:void 0});return t.transformResponse(e.httpClient.post(d.create,k,{token:s}),(e=>e.user))},createTestUser:function(n,o,a,r,i,l,p,m,c,g,u,h,v,f){const k="string"==typeof o?{loginId:n,email:o,phone:a,displayName:r,givenName:u,middleName:h,familyName:v,roleNames:i,userTenants:l,customAttributes:p,picture:m,verifiedEmail:c,verifiedPhone:g,additionalLoginIds:f,test:!0}:Object.assign(Object.assign({loginId:n},o),{roleNames:null==o?void 0:o.roles,roles:void 0,test:!0});return t.transformResponse(e.httpClient.post(d.create,k,{token:s}),(e=>e.user))},invite:function(n,o,a,r,i,l,p,m,c,g,u,h,v,f,k,R,C){const y="string"==typeof o?{loginId:n,email:o,phone:a,displayName:r,givenName:f,middleName:k,familyName:R,roleNames:i,userTenants:l,invite:!0,customAttributes:p,picture:m,verifiedEmail:c,verifiedPhone:g,inviteUrl:u,sendMail:h,sendSMS:v,additionalLoginIds:C}:Object.assign(Object.assign({loginId:n},o),{roleNames:null==o?void 0:o.roles,roles:void 0,invite:!0});return t.transformResponse(e.httpClient.post(d.create,y,{token:s}),(e=>e.user))},inviteBatch:(n,o,a,r)=>t.transformResponse(e.httpClient.post(d.createBatch,{users:n,invite:!0,inviteUrl:o,sendMail:a,sendSMS:r},{token:s}),(e=>e)),update:function(n,o,a,r,i,l,p,m,c,g,u,h,v,f){const k="string"==typeof o?{loginId:n,email:o,phone:a,displayName:r,givenName:u,middleName:h,familyName:v,roleNames:i,userTenants:l,customAttributes:p,picture:m,verifiedEmail:c,verifiedPhone:g,additionalLoginIds:f}:Object.assign(Object.assign({loginId:n},o),{roleNames:null==o?void 0:o.roles,roles:void 0});return t.transformResponse(e.httpClient.post(d.update,k,{token:s}),(e=>e.user))},delete:n=>t.transformResponse(e.httpClient.post(d.delete,{loginId:n},{token:s})),deleteByUserId:n=>t.transformResponse(e.httpClient.post(d.delete,{userId:n},{token:s})),deleteAllTestUsers:()=>t.transformResponse(e.httpClient.delete(d.deleteAllTestUsers,{token:s})),load:n=>t.transformResponse(e.httpClient.get(d.load,{queryParams:{loginId:n},token:s}),(e=>e.user)),loadByUserId:n=>t.transformResponse(e.httpClient.get(d.load,{queryParams:{userId:n},token:s}),(e=>e.user)),logoutUser:n=>t.transformResponse(e.httpClient.post(d.logout,{loginId:n},{token:s})),logoutUserByUserId:n=>t.transformResponse(e.httpClient.post(d.logout,{userId:n},{token:s})),searchAll:n.deprecate(((n,o,a,r,i,l,p,m,c,g)=>t.transformResponse(e.httpClient.post(d.search,{tenantIds:n,roleNames:o,limit:a,page:r,testUsersOnly:i,withTestUser:l,customAttributes:p,statuses:m,emails:c,phones:g},{token:s}),(e=>e.users))),"searchAll is deprecated please use search() instead"),search:n=>t.transformResponse(e.httpClient.post(d.search,Object.assign(Object.assign({},n),{roleNames:n.roles,roles:void 0}),{token:s}),(e=>e.users)),getProviderToken:(n,o)=>t.transformResponse(e.httpClient.get(d.getProviderToken,{queryParams:{loginId:n,provider:o},token:s}),(e=>e)),activate:n=>t.transformResponse(e.httpClient.post(d.updateStatus,{loginId:n,status:"enabled"},{token:s}),(e=>e.user)),deactivate:n=>t.transformResponse(e.httpClient.post(d.updateStatus,{loginId:n,status:"disabled"},{token:s}),(e=>e.user)),updateLoginId:(n,o)=>t.transformResponse(e.httpClient.post(d.updateLoginId,{loginId:n,newLoginId:o},{token:s}),(e=>e.user)),updateEmail:(n,o,a)=>t.transformResponse(e.httpClient.post(d.updateEmail,{loginId:n,email:o,verified:a},{token:s}),(e=>e.user)),updatePhone:(n,o,a)=>t.transformResponse(e.httpClient.post(d.updatePhone,{loginId:n,phone:o,verified:a},{token:s}),(e=>e.user)),updateDisplayName:(n,o,a,r,i)=>t.transformResponse(e.httpClient.post(d.updateDisplayName,{loginId:n,displayName:o,givenName:a,middleName:r,familyName:i},{token:s}),(e=>e.user)),updatePicture:(n,o)=>t.transformResponse(e.httpClient.post(d.updatePicture,{loginId:n,picture:o},{token:s}),(e=>e.user)),updateCustomAttribute:(n,o,a)=>t.transformResponse(e.httpClient.post(d.updateCustomAttribute,{loginId:n,attributeKey:o,attributeValue:a},{token:s}),(e=>e.user)),setRoles:(n,o)=>t.transformResponse(e.httpClient.post(d.setRole,{loginId:n,roleNames:o},{token:s}),(e=>e.user)),addRoles:(n,o)=>t.transformResponse(e.httpClient.post(d.addRole,{loginId:n,roleNames:o},{token:s}),(e=>e.user)),removeRoles:(n,o)=>t.transformResponse(e.httpClient.post(d.removeRole,{loginId:n,roleNames:o},{token:s}),(e=>e.user)),addTenant:(n,o)=>t.transformResponse(e.httpClient.post(d.addTenant,{loginId:n,tenantId:o},{token:s}),(e=>e.user)),removeTenant:(n,o)=>t.transformResponse(e.httpClient.post(d.removeTenant,{loginId:n,tenantId:o},{token:s}),(e=>e.user)),setTenantRoles:(n,o,a)=>t.transformResponse(e.httpClient.post(d.setRole,{loginId:n,tenantId:o,roleNames:a},{token:s}),(e=>e.user)),addTenantRoles:(n,o,a)=>t.transformResponse(e.httpClient.post(d.addRole,{loginId:n,tenantId:o,roleNames:a},{token:s}),(e=>e.user)),removeTenantRoles:(n,o,a)=>t.transformResponse(e.httpClient.post(d.removeRole,{loginId:n,tenantId:o,roleNames:a},{token:s}),(e=>e.user)),addSSOapps:(n,o)=>t.transformResponse(e.httpClient.post(d.addSSOApps,{loginId:n,ssoAppIds:o},{token:s}),(e=>e.user)),setSSOapps:(n,o)=>t.transformResponse(e.httpClient.post(d.setSSOApps,{loginId:n,ssoAppIds:o},{token:s}),(e=>e.user)),removeSSOapps:(n,o)=>t.transformResponse(e.httpClient.post(d.removeSSOApps,{loginId:n,ssoAppIds:o},{token:s}),(e=>e.user)),generateOTPForTestUser:(n,o,a)=>t.transformResponse(e.httpClient.post(d.generateOTPForTest,{deliveryMethod:n,loginId:o,loginOptions:a},{token:s}),(e=>e)),generateMagicLinkForTestUser:(n,o,a,r)=>t.transformResponse(e.httpClient.post(d.generateMagicLinkForTest,{deliveryMethod:n,loginId:o,URI:a,loginOptions:r},{token:s}),(e=>e)),generateEnchantedLinkForTestUser:(n,o,a)=>t.transformResponse(e.httpClient.post(d.generateEnchantedLinkForTest,{loginId:n,URI:o,loginOptions:a},{token:s}),(e=>e)),generateEmbeddedLink:(n,o)=>t.transformResponse(e.httpClient.post(d.generateEmbeddedLink,{loginId:n,customClaims:o},{token:s}),(e=>e)),setTemporaryPassword:(n,o)=>t.transformResponse(e.httpClient.post(d.setTemporaryPassword,{loginId:n,password:o},{token:s}),(e=>e)),setActivePassword:(n,o)=>t.transformResponse(e.httpClient.post(d.setActivePassword,{loginId:n,password:o},{token:s}),(e=>e)),setPassword:(n,o)=>t.transformResponse(e.httpClient.post(d.setPassword,{loginId:n,password:o},{token:s}),(e=>e)),expirePassword:n=>t.transformResponse(e.httpClient.post(d.expirePassword,{loginId:n},{token:s}),(e=>e)),removeAllPasskeys:n=>t.transformResponse(e.httpClient.post(d.removeAllPasskeys,{loginId:n},{token:s}),(e=>e)),history:n=>t.transformResponse(e.httpClient.post(d.history,n,{token:s}),(e=>e))}),S=(e,s)=>({updateName:n=>t.transformResponse(e.httpClient.post(m.updateName,{name:n},{token:s})),clone:(n,o)=>t.transformResponse(e.httpClient.post(m.clone,{name:n,tag:o},{token:s})),export:()=>t.transformResponse(e.httpClient.post(m.export,{},{token:s}),(e=>e.files)),import:n=>t.transformResponse(e.httpClient.post(m.export,{files:n},{token:s}))}),O=(e,s)=>({create:(n,o,a)=>t.transformResponse(e.httpClient.post(g.create,{name:n,selfProvisioningDomains:o,customAttributes:a},{token:s})),createWithId:(n,o,a,r)=>t.transformResponse(e.httpClient.post(g.create,{id:n,name:o,selfProvisioningDomains:a,customAttributes:r},{token:s})),update:(n,o,a,r)=>t.transformResponse(e.httpClient.post(g.update,{id:n,name:o,selfProvisioningDomains:a,customAttributes:r},{token:s})),delete:n=>t.transformResponse(e.httpClient.post(g.delete,{id:n},{token:s})),load:n=>t.transformResponse(e.httpClient.get(g.load,{queryParams:{id:n},token:s}),(e=>e)),loadAll:()=>t.transformResponse(e.httpClient.get(g.loadAll,{token:s}),(e=>e.tenants)),searchAll:(n,o,a,r)=>t.transformResponse(e.httpClient.post(g.searchAll,{tenantIds:n,tenantNames:o,tenantSelfProvisioningDomains:a,customAttributes:r},{token:s}),(e=>e.tenants)),getSettings:n=>t.transformResponse(e.httpClient.get(g.settings,{queryParams:{id:n},token:s}),(e=>e)),configureSettings:(n,o)=>t.transformResponse(e.httpClient.post(g.settings,Object.assign(Object.assign({},o),{tenantId:n}),{token:s}))}),N=(e,s)=>({update:(n,o)=>t.transformResponse(e.httpClient.post(v.update,{jwt:n,customClaims:o},{token:s})),impersonate:(n,o,a)=>t.transformResponse(e.httpClient.post(v.impersonate,{impersonatorId:n,loginId:o,validateConsent:a},{token:s}))}),j=(e,s)=>({create:(n,o)=>t.transformResponse(e.httpClient.post(k.create,{name:n,description:o},{token:s})),update:(n,o,a)=>t.transformResponse(e.httpClient.post(k.update,{name:n,newName:o,description:a},{token:s})),delete:n=>t.transformResponse(e.httpClient.post(k.delete,{name:n},{token:s})),loadAll:()=>t.transformResponse(e.httpClient.get(k.loadAll,{token:s}),(e=>e.permissions))}),P=(e,s)=>({create:(n,o,a,r)=>t.transformResponse(e.httpClient.post(R.create,{name:n,description:o,permissionNames:a,tenantId:r},{token:s})),update:(n,o,a,r,i)=>t.transformResponse(e.httpClient.post(R.update,{name:n,newName:o,description:a,permissionNames:r,tenantId:i},{token:s})),delete:(n,o)=>t.transformResponse(e.httpClient.post(R.delete,{name:n,tenantId:o},{token:s})),loadAll:()=>t.transformResponse(e.httpClient.get(R.loadAll,{token:s}),(e=>e.roles))}),T=(e,s)=>({loadAllGroups:n=>t.transformResponse(e.httpClient.post(I.loadAllGroups,{tenantId:n},{token:s})),loadAllGroupsForMember:(n,o,a)=>t.transformResponse(e.httpClient.post(I.loadAllGroupsForMember,{tenantId:n,loginIds:a,userIds:o},{token:s})),loadAllGroupMembers:(n,o)=>t.transformResponse(e.httpClient.post(I.loadAllGroupMembers,{tenantId:n,groupId:o},{token:s}))}),M=(e,s)=>({getSettings:n.deprecate((n=>t.transformResponse(e.httpClient.get(h.settings,{queryParams:{tenantId:n},token:s}),(e=>e))),"getSettings is deprecated, please use loadSettings instead"),deleteSettings:n=>t.transformResponse(e.httpClient.delete(h.settings,{queryParams:{tenantId:n},token:s})),configureSettings:n.deprecate(((n,o,a,r,i,l)=>t.transformResponse(e.httpClient.post(h.settings,{tenantId:n,idpURL:o,entityId:r,idpCert:a,redirectURL:i,domains:l},{token:s}))),"configureSettings is deprecated, please use configureSAMLSettings instead "),configureMetadata:n.deprecate(((n,o,a,r)=>t.transformResponse(e.httpClient.post(h.metadata,{tenantId:n,idpMetadataURL:o,redirectURL:a,domains:r},{token:s}))),"configureMetadata is deprecated, please use configureSAMLByMetadata instead"),configureMapping:(n,o,a)=>t.transformResponse(e.httpClient.post(h.mapping,{tenantId:n,roleMappings:o,attributeMapping:a},{token:s})),configureOIDCSettings:(n,o,a)=>{const r=Object.assign(Object.assign({},o),{userAttrMapping:o.attributeMapping});return delete r.attributeMapping,t.transformResponse(e.httpClient.post(h.oidc.configure,{tenantId:n,settings:r,domains:a},{token:s}))},configureSAMLSettings:(n,o,a,r)=>t.transformResponse(e.httpClient.post(h.saml.configure,{tenantId:n,settings:o,redirectUrl:a,domains:r},{token:s})),configureSAMLByMetadata:(n,o,a,r)=>t.transformResponse(e.httpClient.post(h.saml.metadata,{tenantId:n,settings:o,redirectUrl:a,domains:r},{token:s})),loadSettings:n=>t.transformResponse(e.httpClient.get(h.settingsv2,{queryParams:{tenantId:n},token:s}),(e=>{var t,s;const n=e;return n.oidc&&(n.oidc=Object.assign(Object.assign({},n.oidc),{attributeMapping:n.oidc.userAttrMapping}),delete n.oidc.userAttrMapping),(null===(t=n.saml)||void 0===t?void 0:t.groupsMapping)&&(n.saml.groupsMapping=null===(s=n.saml)||void 0===s?void 0:s.groupsMapping.map((e=>{const t=e;return t.roleName=t.role.name,delete t.role,t}))),n}))}),E=(e,s)=>({create:(n,o,a,r,i)=>t.transformResponse(e.httpClient.post(c.create,{name:n,expireTime:o,roleNames:a,keyTenants:r,userId:i},{token:s})),load:n=>t.transformResponse(e.httpClient.get(c.load,{queryParams:{id:n},token:s}),(e=>e.key)),searchAll:n=>t.transformResponse(e.httpClient.post(c.search,{tenantIds:n},{token:s}),(e=>e.keys)),update:(n,o)=>t.transformResponse(e.httpClient.post(c.update,{id:n,name:o},{token:s}),(e=>e.key)),deactivate:n=>t.transformResponse(e.httpClient.post(c.deactivate,{id:n},{token:s})),activate:n=>t.transformResponse(e.httpClient.post(c.activate,{id:n},{token:s})),delete:n=>t.transformResponse(e.httpClient.post(c.delete,{id:n},{token:s}))}),x=(e,s)=>({list:()=>t.transformResponse(e.httpClient.post(C.list,{},{token:s})),delete:n=>t.transformResponse(e.httpClient.post(C.delete,{ids:n},{token:s})),export:n=>t.transformResponse(e.httpClient.post(C.export,{flowId:n},{token:s})),import:(n,o,a)=>t.transformResponse(e.httpClient.post(C.import,{flowId:n,flow:o,screens:a},{token:s}))}),L=(e,s)=>({export:()=>t.transformResponse(e.httpClient.post(y.export,{},{token:s})),import:n=>t.transformResponse(e.httpClient.post(y.import,{theme:n},{token:s}))}),U=(e,s)=>({search:n=>{const o=Object.assign(Object.assign({},n),{externalIds:n.loginIds});return delete o.loginIds,t.transformResponse(e.httpClient.post(b.search,o,{token:s}),(e=>null==e?void 0:e.audits.map((e=>{const t=Object.assign(Object.assign({},e),{occurred:parseFloat(e.occurred),loginIds:e.externalIds});return delete t.externalIds,t}))))}}),D=(e,s)=>({saveSchema:(n,o)=>t.transformResponse(e.httpClient.post(w.schemaSave,{schema:n,upgrade:o},{token:s})),deleteSchema:()=>t.transformResponse(e.httpClient.post(w.schemaDelete,{},{token:s})),loadSchema:()=>t.transformResponse(e.httpClient.post(w.schemaLoad,{},{token:s}),(e=>e.schema)),saveNamespace:(n,o,a)=>t.transformResponse(e.httpClient.post(w.nsSave,{namespace:n,oldName:o,schemaName:a},{token:s})),deleteNamespace:(n,o)=>t.transformResponse(e.httpClient.post(w.nsDelete,{name:n,schemaName:o},{token:s})),saveRelationDefinition:(n,o,a,r)=>t.transformResponse(e.httpClient.post(w.rdSave,{relationDefinition:n,namespace:o,oldName:a,schemaName:r},{token:s})),deleteRelationDefinition:(n,o,a)=>t.transformResponse(e.httpClient.post(w.rdDelete,{name:n,namespace:o,schemaName:a},{token:s})),createRelations:n=>t.transformResponse(e.httpClient.post(w.reCreate,{relations:n},{token:s})),deleteRelations:n=>t.transformResponse(e.httpClient.post(w.reDelete,{relations:n},{token:s})),deleteRelationsForResources:n=>t.transformResponse(e.httpClient.post(w.reDeleteResources,{resources:n},{token:s})),hasRelations:n=>t.transformResponse(e.httpClient.post(w.hasRelations,{relationQueries:n},{token:s}),(e=>e.relationQueries)),whoCanAccess:(n,o,a)=>t.transformResponse(e.httpClient.post(w.who,{resource:n,relationDefinition:o,namespace:a},{token:s}),(e=>e.targets)),resourceRelations:n=>t.transformResponse(e.httpClient.post(w.resource,{resource:n},{token:s}),(e=>e.relations)),targetsRelations:n=>t.transformResponse(e.httpClient.post(w.targets,{targets:n},{token:s}),(e=>e.relations)),whatCanTargetAccess:n=>t.transformResponse(e.httpClient.post(w.targetAll,{target:n},{token:s}),(e=>e.relations)),getModified:n=>t.transformResponse(e.httpClient.post(w.getModified,{since:n?n.getTime():0},{token:s}),(e=>e))}),q=(e,s)=>({createOidcApplication:n=>{var o;return t.transformResponse(e.httpClient.post(u.oidcCreate,Object.assign(Object.assign({},n),{enabled:null===(o=n.enabled)||void 0===o||o}),{token:s}))},createSamlApplication:n=>{var o;return t.transformResponse(e.httpClient.post(u.samlCreate,Object.assign(Object.assign({},n),{enabled:null===(o=n.enabled)||void 0===o||o}),{token:s}))},updateOidcApplication:n=>t.transformResponse(e.httpClient.post(u.oidcUpdate,Object.assign({},n),{token:s})),updateSamlApplication:n=>t.transformResponse(e.httpClient.post(u.samlUpdate,Object.assign({},n),{token:s})),delete:n=>t.transformResponse(e.httpClient.post(u.delete,{id:n},{token:s})),load:n=>t.transformResponse(e.httpClient.get(u.load,{queryParams:{id:n},token:s}),(e=>e)),loadAll:()=>t.transformResponse(e.httpClient.get(u.loadAll,{token:s}),(e=>e.apps))}),F=(e,s)=>({getSettings:n=>t.transformResponse(e.httpClient.get(f.settings,{queryParams:{tenantId:n},token:s}),(e=>e)),configureSettings:(n,o)=>t.transformResponse(e.httpClient.post(f.settings,Object.assign(Object.assign({},o),{tenantId:n}),{token:s}))});var z;null!==(z=globalThis.Headers)&&void 0!==z||(globalThis.Headers=o.Headers);const J=(...e)=>(e.forEach((e=>{var t,s;e&&(null!==(t=(s=e).highWaterMark)&&void 0!==t||(s.highWaterMark=31457280))})),o.fetch(...e)),$=n=>{var o,{managementKey:a,publicKey:d}=n,m=e.__rest(n,["managementKey","publicKey"]);const c=r.default(Object.assign(Object.assign({fetch:J},m),{baseHeaders:Object.assign(Object.assign({},m.baseHeaders),{"x-descope-sdk-name":"nodejs","x-descope-sdk-node-version":(null===(o=null===process||void 0===process?void 0:process.versions)||void 0===o?void 0:o.node)||"","x-descope-sdk-version":"1.6.4"})})),{projectId:g,logger:u}=m,h={},v=((e,t)=>({user:A(e,t),project:S(e,t),accessKey:E(e,t),tenant:O(e,t),ssoApplication:q(e,t),sso:M(e,t),jwt:N(e,t),permission:j(e,t),password:F(e,t),role:P(e,t),group:T(e,t),flow:x(e,t),theme:L(e,t),audit:U(e,t),authz:D(e,t)}))(c,a),f=Object.assign(Object.assign({},c),{management:v,async getKey(e){if(!(null==e?void 0:e.kid))throw Error("header.kid must not be empty");if(h[e.kid])return h[e.kid];if(Object.assign(h,await(async()=>{if(d)try{const e=JSON.parse(d),t=await s.importJWK(e);return{[e.kid]:t}}catch(e){throw null==u||u.error("Failed to parse the provided public key",e),new Error(`Failed to parse public key. Error: ${e}`)}const e=(await c.httpClient.get(`v2/keys/${g}`).then((e=>e.json()))).keys;return Array.isArray(e)?(await Promise.all(e.map((async e=>[e.kid,await s.importJWK(e)])))).reduce(((e,[t,s])=>t?Object.assign(Object.assign({},e),{[t.toString()]:s}):e),{}):{}})()),!h[e.kid])throw Error("failed to fetch matching key");return h[e.kid]},async validateJwt(e){var t;const n=(await s.jwtVerify(e,f.getKey,{clockTolerance:5})).payload;if(n&&(n.iss=null===(t=n.iss)||void 0===t?void 0:t.split("/").pop(),n.iss!==g))throw new s.errors.JWTClaimValidationFailed('unexpected "iss" claim value',"iss","check_failed");return{jwt:e,token:n}},async validateSession(e){if(!e)throw Error("session token is required for validation");try{return await f.validateJwt(e)}catch(e){throw null==u||u.error("session validation failed",e),Error(`session validation failed. Error: ${e}`)}},async refreshSession(e){var t,s;if(!e)throw Error("refresh token is required to refresh a session");try{await f.validateJwt(e);const n=await f.refresh(e);if(n.ok){return await f.validateJwt(null===(t=n.data)||void 0===t?void 0:t.sessionJwt)}throw Error(null===(s=n.error)||void 0===s?void 0:s.errorMessage)}catch(e){throw null==u||u.error("refresh token validation failed",e),Error(`refresh token validation failed, Error: ${e}`)}},async validateAndRefreshSession(e,t){if(!e&&!t)throw Error("both session and refresh tokens are empty");try{return await f.validateSession(e)}catch(e){null==u||u.log(`session validation failed with error ${e} - trying to refresh it`)}return f.refreshSession(t)},async exchangeAccessKey(e,t){if(!e)throw Error("access key must not be empty");let s;try{s=await f.accessKey.exchange(e,t)}catch(e){throw null==u||u.error("failed to exchange access key",e),Error(`could not exchange access key - Failed to exchange. Error: ${e}`)}const{sessionJwt:n}=s.data;if(!n)throw null==u||u.error("failed to parse exchange access key response"),Error("could not exchange access key");try{return await f.validateJwt(n)}catch(e){throw null==u||u.error("failed to parse jwt from access key",e),Error(`could not exchange access key - failed to validate jwt. Error: ${e}`)}},validatePermissions:(e,t)=>f.validateTenantPermissions(e,"",t),getMatchedPermissions:(e,t)=>f.getMatchedTenantPermissions(e,"",t),validateTenantPermissions(e,t,s){if(t&&!p(e,t))return!1;const n=l(e,"permissions",t);return s.every((e=>n.includes(e)))},getMatchedTenantPermissions(e,t,s){if(t&&!p(e,t))return[];const n=l(e,"permissions",t);return s.filter((e=>n.includes(e)))},validateRoles:(e,t)=>f.validateTenantRoles(e,"",t),getMatchedRoles:(e,t)=>f.getMatchedTenantRoles(e,"",t),validateTenantRoles(e,t,s){if(t&&!p(e,t))return!1;const n=l(e,"roles",t);return s.every((e=>n.includes(e)))},getMatchedTenantRoles(e,t,s){if(t&&!p(e,t))return[];const n=l(e,"roles",t);return s.filter((e=>n.includes(e)))}});return t.wrapWith(f,["otp.verify.email","otp.verify.sms","otp.verify.whatsapp","magicLink.verify","enchantedLink.signUp","enchantedLink.signIn","oauth.exchange","saml.exchange","totp.verify","webauthn.signIn.finish","webauthn.signUp.finish","refresh"],i)};$.RefreshTokenCookieName="DSR",$.SessionTokenCookieName="DS",exports.default=$,exports.descopeErrors={badRequest:"E011001",missingArguments:"E011002",invalidRequest:"E011003",invalidArguments:"E011004",wrongOTPCode:"E061102",tooManyOTPAttempts:"E061103",enchantedLinkPending:"E062503",userNotFound:"E062108"};
 //# sourceMappingURL=index.cjs.js.map