@descope/web-js-sdk 0.0.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +106 -0
  3. package/dist/cjs/index.cjs.js +2 -0
  4. package/dist/cjs/index.cjs.js.map +1 -0
  5. package/dist/cjs/package.json +1 -0
  6. package/dist/index.d.ts +3847 -0
  7. package/dist/index.esm.js +2 -0
  8. package/dist/index.esm.js.map +1 -0
  9. package/dist/index.umd.js +4 -0
  10. package/dist/index.umd.js.map +1 -0
  11. package/package.json +99 -0
package/dist/index.esm.js ADDED
@@ -0,0 +1,2 @@
1
+ import{__rest as e}from"tslib";import{jwtDecode as t}from"jwt-decode";import n,{wrapWith as o}from"@descope/core-js-sdk";import i from"js-cookie";import{load as r,defaultEndpoint as s,defaultScriptUrlPattern as a}from"@fingerprintjs/fingerprintjs-pro";const c=e=>{try{return t(e).exp}catch(e){return null}},l=e=>{const{refresh_expire_in:t,refresh_token:n}=e;return t?Math.floor(Date.now()/1e3)+t:c(n)},u=e=>{const{expires_in:t,expires_at:n,access_token:o}=e;return n||(t?Math.floor(Date.now()/1e3)+t:o?c(o):void 0)},d=(e,t)=>{var n;return["beforeRequest","afterRequest"].reduce(((n,o)=>{var i;return n[o]=[].concat((null===(i=e.hooks)||void 0===i?void 0:i[o])||[]).concat((null==t?void 0:t[o])||[]),n}),null!==(n=e.hooks)&&void 0!==n?n:e.hooks={}),e},g=async t=>{if(!(null==t?void 0:t.ok))return{};const n=await(null==t?void 0:t.clone().json());return(t=>{const{access_token:n,id_token:o,refresh_token:i,refresh_expire_in:r}=t,s=e(t,["access_token","id_token","refresh_token","refresh_expire_in"]);return Object.assign({sessionJwt:t.sessionJwt||n,idToken:o,refreshJwt:t.refreshJwt||i,sessionExpiration:t.sessionExpiration||u(t),cookieExpiration:t.cookieExpiration||l(t)},s)})((null==n?void 0:n.authInfo)||n||{})},p=async e=>{const t=await g(e);return(null==t?void 0:t.user)||((null==t?void 0:t.hasOwnProperty("userId"))?t:void 0)},f="undefined"!=typeof localStorage,w=(e,t)=>f&&(null===localStorage||void 0===localStorage?void 0:localStorage.setItem(e,t)),h=e=>f&&(null===localStorage||void 0===localStorage?void 0:localStorage.getItem(e)),v=e=>f&&(null===localStorage||void 0===localStorage?void 0:localStorage.removeItem(e)),m=(...e)=>{console.debug(...e)},y="3.2.0",b="undefined"!=typeof window,S=Math.pow(2,31)-1,k=`https://descopecdn.com/npm/oidc-client-ts@${y}/dist/browser/oidc-client-ts.min.js`,_=`https://cdn.jsdelivr.net/npm/oidc-client-ts@${y}/dist/browser/oidc-client-ts.min.js`,I=e=>{let t=((n=e)?n.getTime()-(new Date).getTime():0)-2e4;var n;return t>S&&(m(`Timeout is too large (${t}ms), setting it to ${S}ms`),t=S),t},O="DS",U="DSR",j="DSI";function x(e,t,n){if(t){const{cookieDomain:o,cookiePath:r,cookieSameSite:s,cookieExpiration:a,cookieSecure:c}=n,l=new Date(1e3*a),u=function(e){const t=window.location.hostname.split("."),n=e.split(".");return t.slice(-n.length).join(".")===e}(o);i.set(e,t,{path:r,domain:u?o:void 0,expires:l,sameSite:s,secure:c})}}function C(e=""){return h(`${e}${U}`)||""}function R(e=""){return i.get(O)||h(`${e}${O}`)||""}function D(e=""){return h(`${e}${j}`)||""}function A(e=""){v(`${e}${U}`),v(`${e}${O}`),v(`${e}${j}`),i.remove(O)}const J=b&&(null===localStorage||void 0===localStorage?void 0:localStorage.getItem("fingerprint.endpoint.url"))||"https://api.descope.com",L="vsid",T="vrid",$="fp",K=(e=!1)=>{const t=localStorage.getItem($);if(!t)return null;const n=JSON.parse(t);return(new Date).getTime()>n.expiry&&!e?null:n.value},E=async(e,t=J)=>{try{if(K())return;const n=(Date.now().toString(36)+Math.random().toString(36).substring(2)+Math.random().toString(36).substring(2)).substring(0,27),o=new URL(t);o.pathname="/fXj8gt3x8VulJBna/x96Emn69oZwcd7I6";const i=new URL(t);i.pathname="/fXj8gt3x8VulJBna/w78aRZnnDZ3Aqw0I";const c=i.toString()+"?apiKey=<apiKey>&version=<version>&loaderVersion=<loaderVersion>",l=r({apiKey:e,endpoint:[o.toString(),s],scriptUrlPattern:[c,a]}),u=await l,{requestId:d}=await u.get({linkedId:n}),g=((e,t)=>({[L]:e,[T]:t}))(n,d);(e=>{const t={value:e,expiry:(new Date).getTime()+864e5};localStorage.setItem($,JSON.stringify(t))})(g)}catch(e){console.warn("Could not load fingerprint",e)}},P=()=>{localStorage.removeItem($)},N=e=>{const t=K(!0);return t&&e.body&&(e.body.fpData=t),e},q="dls_last_user_login_id",V="dls_last_user_display_name",M=()=>h(q),H=()=>h(V),G=e=>async(...t)=>{var n;t[1]=t[1]||{};const[,o={}]=t,i=M(),r=H();i&&(null!==(n=o.lastAuth)&&void 0!==n||(o.lastAuth={}),o.lastAuth.loginId=i,o.lastAuth.name=r);return await e(...t)},B=e=>t=>async(...n)=>{const o=await t(...n);return e||(v(q),v(V)),o};function F(){const e=[];return{pub:t=>{e.forEach((e=>e(t)))},sub:t=>{const n=e.push(t)-1;return()=>e.splice(n,1)}}}const Z=e=>t=>async(...n)=>{const o=await t(...n);return A(e),o};async function W(e){const t=function(e){var t;const n=JSON.parse(e);return n.publicKey.challenge=te(n.publicKey.challenge),n.publicKey.user.id=te(n.publicKey.user.id),null===(t=n.publicKey.excludeCredentials)||void 0===t||t.forEach((e=>{e.id=te(e.id)})),n}(e),n=await navigator.credentials.create(t);return o=n,JSON.stringify({id:o.id,rawId:ne(o.rawId),type:o.type,response:{attestationObject:ne(o.response.attestationObject),clientDataJSON:ne(o.response.clientDataJSON)}});var o}async function X(e){const t=Y(e);return ee(await navigator.credentials.get(t))}async function z(e,t){const n=Y(e);n.signal=t.signal,n.mediation="conditional";return ee(await navigator.credentials.get(n))}async function Q(e=!1){if(!b)return Promise.resolve(!1);const t=!!(window.PublicKeyCredential&&navigator.credentials&&navigator.credentials.create&&navigator.credentials.get);return t&&e&&PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable?PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable():t}function Y(e){var t;const n=JSON.parse(e);return n.publicKey.challenge=te(n.publicKey.challenge),null===(t=n.publicKey.allowCredentials)||void 0===t||t.forEach((e=>{e.id=te(e.id)})),n}function ee(e){return JSON.stringify({id:e.id,rawId:ne(e.rawId),type:e.type,response:{authenticatorData:ne(e.response.authenticatorData),clientDataJSON:ne(e.response.clientDataJSON),signature:ne(e.response.signature),userHandle:e.response.userHandle?ne(e.response.userHandle):void 0}})}function te(e){const t=e.replace(/_/g,"/").replace(/-/g,"+");return Uint8Array.from(atob(t),(e=>e.charCodeAt(0))).buffer}function ne(e){return btoa(String.fromCharCode.apply(null,new Uint8Array(e))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}var oe,ie=(oe=e=>({async signUp(t,n,o){const i=await e.webauthn.signUp.start(t,window.location.origin,n,o);if(!i.ok)return i;const r=await W(i.data.options);return await e.webauthn.signUp.finish(i.data.transactionId,r)},async signIn(t,n){const o=await e.webauthn.signIn.start(t,window.location.origin,void 0,void 0,n);if(!o.ok)return o;const i=await X(o.data.options);return await e.webauthn.signIn.finish(o.data.transactionId,i)},async signUpOrIn(t,n){var o;const i=await e.webauthn.signUpOrIn.start(t,window.location.origin,n);if(!i.ok)return i;if(null===(o=i.data)||void 0===o?void 0:o.create){const t=await W(i.data.options);return await e.webauthn.signUp.finish(i.data.transactionId,t)}{const t=await X(i.data.options);return await e.webauthn.signIn.finish(i.data.transactionId,t)}},async update(t,n,o){const i=await e.webauthn.update.start(t,window.location.origin,n,o);if(!i.ok)return i;const r=await W(i.data.options);return await e.webauthn.update.finish(i.data.transactionId,r)},helpers:{create:W,get:X,isSupported:Q,conditional:z}}),(...e)=>{const t=oe(...e);return Object.assign(t.signUp,e[0].webauthn.signUp),Object.assign(t.signIn,e[0].webauthn.signIn),Object.assign(t.signUpOrIn,e[0].webauthn.signUpOrIn),Object.assign(t.update,e[0].webauthn.update),t});const re={config:"/fedcm/config"},se=(e,t)=>({async oneTap(t,n,o,i,r){const s=null!=t?t:"google",a=await e.oauth.startNative(s,o,!0);if(!a.ok)return a;const{clientId:c,stateId:l,nonce:u}=a.data,d=await async function(){return new Promise(((e,t)=>{if(window.google)return void e(window.google.accounts.id);let n=document.getElementById("google-gsi-client-script");n||(n=document.createElement("script"),document.head.appendChild(n),n.async=!0,n.defer=!0,n.id="google-gsi-client-script",n.src="https://accounts.google.com/gsi/client"),n.onload=function(){window.google?e(window.google.accounts.id):t("Failed to load Google GSI client script - not loaded properly")},n.onerror=function(){t("Failed to load Google GSI client script - failed to load")}}))}();return new Promise((t=>{var o,a;d.initialize(Object.assign(Object.assign({},n),{itp_support:null===(o=null==n?void 0:n.itp_support)||void 0===o||o,use_fedcm_for_prompt:null===(a=null==n?void 0:n.use_fedcm_for_prompt)||void 0===a||a,client_id:c,callback:n=>{t(e.oauth.finishNative(s,l,"","",n.credential))},nonce:u})),d.prompt((e=>{var t,n;if(r&&(null==e?void 0:e.isDismissedMoment())){const n=null===(t=e.getDismissedReason)||void 0===t?void 0:t.call(e);null==r||r(n)}else if(i&&(null==e?void 0:e.isSkippedMoment())){const t=null===(n=e.getSkippedReason)||void 0===n?void 0:n.call(e);null==i||i(t)}else;}))}))},async launch(n){var o;const i={identity:{context:n||"signin",providers:[{configURL:e.httpClient.buildUrl(t+re.config),clientId:t}]}},r=await(null===(o=navigator.credentials)||void 0===o?void 0:o.get(i));return e.refresh(r.token)},isSupported:()=>b&&"IdentityCredential"in window,async isLoggedIn(n){var o;const i=e.httpClient.buildUrl(t+re.config);try{const e={identity:{context:n||"signin",providers:[{configURL:i,clientId:t}]}},r=await(null===(o=navigator.credentials)||void 0===o?void 0:o.get(e));return!!r&&!!r.token}catch(e){return!1}}});var ae=e=>Object.assign(Object.assign({},e.flow),{start:async(...t)=>{const n=await Q(),o=Object.assign(Object.assign({location:window.location.href},t[1]),{deviceInfo:{webAuthnSupport:n},startOptionsVersion:1});return t[1]=o,e.flow.start(...t)}});const ce=()=>window.location.search.includes("code")&&window.location.search.includes("state");let le;const ue=(e,t)=>new Promise(((n,o)=>{if(!e.length)return o(new Error("No URLs provided to loadScriptWithFallback"));const i=t();if(i)return n(i);const r=e.shift(),s=document.createElement("script");s.src=r,s.id=(e=>{let t=0;for(let n=0;n<e.length;n++)t=(t<<5)-t+e.charCodeAt(n),t|=0;return Math.abs(t).toString(16)})(r),s.onload=()=>{const e=t();if(e)return n(e);throw new Error("Could not get entry after loading script from URL")},s.addEventListener("error",(()=>{ue(e,t),s.setAttribute("data-error","true")})),document.body.appendChild(s)}));const de=async(e,t,n)=>{le||(le=(async()=>{try{return import("oidc-client-ts")}catch(e){return ue([k,_],(()=>window.oidc))}})());const{OidcClient:o,WebStorageStateStore:i}=await le;if(!o)throw new Error("oidc-client-ts is not installed. Please install it by running `npm install oidc-client-ts`");const r=t,s=(null==n?void 0:n.redirectUri)||window.location.href,a=(null==n?void 0:n.scope)||"openid email roles descope.custom_claims offline_access",c=`${r}_user`;let l=e.httpClient.buildUrl(t);(null==n?void 0:n.applicationId)&&(l=`${l}/${n.applicationId}`);const u={authority:l,client_id:t,redirect_uri:s,response_type:"code",scope:a,stateStore:new i({store:window.localStorage,prefix:r}),loadUserInfo:!0,fetchRequestCredentials:"same-origin"};return(null==n?void 0:n.redirectUri)&&(u.redirect_uri=n.redirectUri),(null==n?void 0:n.scope)&&(u.scope=n.scope),{client:new o(u),stateUserKey:c}},ge=(e,t,n)=>{const o=async()=>{let o,i;return o&&i||({client:o,stateUserKey:i}=await de(e,t,n)),{client:o,stateUserKey:i}},i=async(t="")=>{var n;const{client:i,stateUserKey:r}=await o(),s=await i.processSigninResponse(t||window.location.href);var a;return await(null===(n=e.httpClient.hooks)||void 0===n?void 0:n.afterRequest({},new Response(JSON.stringify(s)))),window.localStorage.setItem(r,JSON.stringify({id_token:(a=s).id_token,session_state:a.session_state,profile:a.profile})),(()=>{const e=new URL(window.location.href);e.searchParams.delete("code"),e.searchParams.delete("state"),window.history.replaceState({},document.title,e.toString())})(),s};return{login:async(e={},t=!1)=>{const{client:n}=await o(),i=await n.createSigninRequest(e),{url:r}=i;return t||(window.location.href=r),{ok:!0,data:i}},finishLogin:i,finishLoginIfNeed:async(e="")=>{if(ce())return await i(e)},refreshToken:async t=>{var n;const{client:i,stateUserKey:r}=await o(),s=(e=>{const t=window.localStorage.getItem(e);return t?JSON.parse(t):null})(r);if(!s)throw new Error("User not found in storage to refresh token");let a=t;if(!a){const t={};e.httpClient.hooks.beforeRequest(t),a=t.token}const c=await i.useRefreshToken({state:{refresh_token:a,session_state:s.session_state,profile:s.profile}});return await(null===(n=e.httpClient.hooks)||void 0===n?void 0:n.afterRequest({},new Response(JSON.stringify(c)))),c},logout:async(e,t=!1)=>{const{client:n,stateUserKey:i}=await o();e||(e={}),e.id_token_hint=e.id_token_hint||D(),e.post_logout_redirect_uri=e.post_logout_redirect_uri||window.location.href;const r=await n.createSignoutRequest(e),{url:s}=r;return window.localStorage.removeItem(i),t||window.location.replace(s),r}}},pe=function(...e){return t=>e.reduce(((e,t)=>t(e)),t)}((t=>n=>{var{fpKey:o,fpLoad:i}=n,r=e(n,["fpKey","fpLoad"]);return b?(o&&i&&E(o).catch((()=>null)),t(d(r,{beforeRequest:N}))):t(r)}),(n=>i=>{var{autoRefresh:r}=i,s=e(i,["autoRefresh"]);if(!r)return n(s);const{clearAllTimers:a,setTimer:c}=(()=>{const e=[];return{clearAllTimers:()=>{for(;e.length;)clearTimeout(e.pop())},setTimer:(t,n)=>{e.push(setTimeout(t,n))}}})();let l,u;b&&document.addEventListener("visibilitychange",(()=>{"visible"===document.visibilityState&&l&&new Date>l&&(m("Expiration time passed, refreshing session"),p.refresh(C()||u))}));const p=n(d(s,{afterRequest:async(e,n)=>{const{sessionJwt:o,refreshJwt:i,sessionExpiration:r}=await g(n);if(401===(null==n?void 0:n.status))m("Received 401, canceling all timers"),a();else if(o||r){if(l=((e,n)=>{if(n)return new Date(1e3*n);m("Could not extract expiration time from session token, trying to decode the token");try{const n=t(e);if(n.exp)return new Date(1e3*n.exp)}catch(e){return null}})(o,r),!l)return void m("Could not extract expiration time from session token");u=i;const e=I(l);if(a(),e<=2e4)return void m("Session is too close to expiration, not setting refresh timer");const n=new Date(Date.now()+e).toLocaleTimeString("en-US",{hour12:!1});m(`Setting refresh timer for ${n}. (${e}ms)`),c((()=>{m("Refreshing session due to timer"),p.refresh(C()||i)}),e)}}}));return o(p,["logout","logoutAll","oidc.logout"],(e=>async(...t)=>{const n=await e(...t);return m("Clearing all timers"),a(),n}))}),(e=>t=>e(Object.assign(Object.assign({},t),{baseHeaders:Object.assign({"x-descope-sdk-name":"web-js","x-descope-sdk-version":"1.27.1"},t.baseHeaders)}))),(e=>t=>{const n=F(),i=F(),r=F(),s=e(d(t,{afterRequest:async(e,t)=>{if(401===(null==t?void 0:t.status))i.pub(null),r.pub(null),n.pub(null);else{const e=await p(t);e&&r.pub(e);const{sessionJwt:o,sessionExpiration:s}=await g(t);o&&i.pub(o),(s||o)&&n.pub(s||42)}}})),a=o(s,["logout","logoutAll","oidc.logout"],(e=>async(...t)=>{const o=await e(...t);return i.pub(null),r.pub(null),n.pub(null),o}));return Object.assign(a,{onSessionTokenChange:i.sub,onUserChange:r.sub,onIsAuthenticatedChange:e=>n.sub((t=>{e(!!t)}))})}),(t=>n=>{var{storeLastAuthenticatedUser:i=!0,keepLastAuthenticatedUserAfterLogout:r=!1}=n,s=e(n,["storeLastAuthenticatedUser","keepLastAuthenticatedUserAfterLogout"]);if(!i)return Object.assign(t(s),{getLastUserLoginId:M,getLastUserDisplayName:H});const a=t(d(s,{afterRequest:async(e,t)=>{var n;const o=await p(t),i=null===(n=null==o?void 0:o.loginIds)||void 0===n?void 0:n[0],r=null==o?void 0:o.name;i&&((e=>{w(q,e)})(i),(e=>{w(V,e)})(r))}}));let c=o(a,["flow.start"],G);return c=o(c,["logout","logoutAll"],B(r)),Object.assign(c,{getLastUserLoginId:M,getLastUserDisplayName:H})}),(t=>n=>{var{persistTokens:i,sessionTokenViaCookie:r,storagePrefix:s}=n,a=e(n,["persistTokens","sessionTokenViaCookie","storagePrefix"]);if(!i||!b)return t(a);const c=t(d(a,{beforeRequest:(l=s,e=>Object.assign(e,{token:e.token||C(l)})),afterRequest:async(e,t)=>{const n=/^\/v\d+\/mgmt\//.test(e.path);401===(null==t?void 0:t.status)?n||A(s):((e={},t=!1,n="")=>{var o;const{sessionJwt:i,refreshJwt:r}=e;if(r&&w(`${n}${U}`,r),i)if(t){const n=t.sameSite||"Strict",r=null===(o=t.secure)||void 0===o||o;x(O,i,Object.assign(Object.assign({},e),{cookieSameSite:n,cookieSecure:r}))}else w(`${n}${O}`,i);e.idToken&&w(`${n}${j}`,e.idToken)})(await g(t),r,s)}}));var l;const u=o(c,["logout","logoutAll","oidc.logout"],Z(s));return Object.assign(u,{getRefreshToken:()=>C(s),getSessionToken:()=>R(s),getIdToken:()=>D(s)})}))((e=>{const t=n(e),o=ge(t,e.projectId,e.oidcConfig);return Object.assign(Object.assign({},t),{refresh:async n=>{if(e.oidcConfig)try{await o.refreshToken(n);return Promise.resolve({ok:!0})}catch(e){return Promise.resolve({ok:!1,error:{errorCode:"J161001",errorDescription:e.toString()}})}const i=R(),r=C();return t.refresh(n,{dcs:i?"t":"f",dcr:r?"t":"f"})},logout:async n=>{if(e.oidcConfig)try{return await o.logout({id_token_hint:n}),Promise.resolve({ok:!0})}catch(e){return Promise.resolve({ok:!1,error:{errorCode:"J161000",errorDescription:e.toString()}})}return t.logout(n)},flow:ae(t),webauthn:ie(t),fedcm:se(t,e.projectId),oidc:o})}));export{U as REFRESH_TOKEN_KEY,O as SESSION_TOKEN_KEY,P as clearFingerprintData,pe as default,E as ensureFingerprintIds,ce as hasOidcParamsInUrl};
2
+ //# sourceMappingURL=index.esm.js.map
package/dist/index.esm.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.esm.js","sources":["../src/enhancers/helpers/index.ts","../src/enhancers/helpers/logger.ts","../src/constants.ts","../src/enhancers/withAutoRefresh/helpers.ts","../src/enhancers/withPersistTokens/constants.ts","../src/enhancers/withPersistTokens/helpers.ts","../src/enhancers/withFingerprint/constants.ts","../src/enhancers/withFingerprint/helpers.ts","../src/enhancers/withFingerprint/index.ts","../src/enhancers/withLastLoggedInUser/constants.ts","../src/enhancers/withLastLoggedInUser/helpers.ts","../src/enhancers/withLastLoggedInUser/index.ts","../src/enhancers/withNotifications/helpers.ts","../src/enhancers/withNotifications/index.ts","../src/enhancers/withPersistTokens/index.ts","../src/sdk/webauthn.ts","../src/apiPaths.ts","../src/sdk/fedcm.ts","../src/sdk/flow.ts","../src/sdk/oidc/helpers.ts","../src/sdk/oidc/index.ts","../src/index.ts","../src/enhancers/helpers/compose.ts","../src/enhancers/withAutoRefresh/index.ts","../src/enhancers/withAnalytics.ts","../src/sdk/index.ts"],"sourcesContent":["import { JWTResponse, UserResponse } from '@descope/core-js-sdk';\nimport { CoreSdkConfig, WebJWTResponse, WebSigninResponse } from '../../types';\nimport { jwtDecode, JwtPayload } from 'jwt-decode';\n\nconst getExpirationFromToken = (token: string) => {\n try {\n const claims = jwtDecode<JwtPayload>(token);\n return claims.exp;\n } catch (e) {\n return null;\n }\n};\n\nconst oidcRefreshTokenExpiration = (response: WebSigninResponse) => {\n const { refresh_expire_in, refresh_token } = response;\n if (refresh_expire_in) {\n return Math.floor(Date.now() / 1000) + refresh_expire_in;\n }\n return getExpirationFromToken(refresh_token);\n};\n\nconst oidcAccessTokenExpiration = (response: WebSigninResponse) => {\n // oidc-client-ts may return the expiration time in\n // - the expires_at (timestamp in seconds)\n // - the expires_in (ttl in seconds)\n // - we also fallback to the token itself\n const { expires_in, expires_at, access_token } = response;\n if (expires_at) {\n return expires_at;\n }\n if (expires_in) {\n // get expiration time from the expires_in in seconds\n return Math.floor(Date.now() / 1000) + expires_in;\n }\n if (access_token) {\n // get expiration time from the token itself\n return getExpirationFromToken(access_token);\n }\n return undefined;\n};\n\nconst normalizeWebJWTResponseToJWTResponse = (\n response: WebSigninResponse,\n): JWTResponse => {\n const { access_token, id_token, refresh_token, refresh_expire_in, ...rest } =\n response;\n return {\n sessionJwt: response.sessionJwt || access_token,\n idToken: id_token,\n refreshJwt: response.refreshJwt || refresh_token,\n sessionExpiration:\n response.sessionExpiration || oidcAccessTokenExpiration(response),\n cookieExpiration:\n response.cookieExpiration ||\n (oidcRefreshTokenExpiration(response) as number),\n ...rest,\n };\n};\n\n/**\n * Add hooks to an existing core-sdk config\n */\nexport const addHooks = <Config extends CoreSdkConfig>(\n config: Config,\n hooks: Config['hooks'],\n): Config => {\n ['beforeRequest', 'afterRequest'].reduce(\n (acc, key) => {\n acc[key] = []\n .concat(config.hooks?.[key] || [])\n .concat(hooks?.[key] || []);\n\n return acc;\n },\n (config.hooks ??= {}),\n );\n\n return config;\n};\n\nexport { compose } from './compose';\n\n/**\n * Extract auth info (JWT response) from fetch response\n * We assume that the auth info is under a \"authInfo\" attribute (flow response)\n * Or the body itself (other auth methods response)\n */\nexport const getAuthInfoFromResponse = async (\n res: Response,\n): Promise<Partial<JWTResponse>> => {\n if (!res?.ok) return {};\n const body = await res?.clone().json();\n const authInfo = body?.authInfo || body || ({} as Partial<WebJWTResponse>);\n return normalizeWebJWTResponseToJWTResponse(authInfo);\n};\n\n/**\n * Extract user from fetch response\n * User my exist under \"user\" attribute (auth methods response)\n * Or the body itself (when calling \"me\")\n */\nexport const getUserFromResponse = async (\n res: Response,\n): Promise<UserResponse> | undefined => {\n const authInfo = await getAuthInfoFromResponse(res);\n\n return (\n authInfo?.user ||\n (authInfo?.hasOwnProperty('userId')\n ? (authInfo as UserResponse)\n : undefined)\n );\n};\n\nexport const isLocalStorage = typeof localStorage !== 'undefined';\n\nexport const setLocalStorage = (key: string, value: string) =>\n isLocalStorage && localStorage?.setItem(key, value);\nexport const getLocalStorage = (key: string) =>\n isLocalStorage && localStorage?.getItem(key);\nexport const removeLocalStorage = (key: string) =>\n isLocalStorage && localStorage?.removeItem(key);\n","const logger = {\n debug: (...args: any[]) => {\n // eslint-disable-next-line no-console\n console.debug(...args);\n },\n};\n\nexport default logger;\n","const OIDC_CLIENT_TS_VERSION = '3.2.0';\n\n// This sdk can be used in SSR apps\nexport const IS_BROWSER = typeof window !== 'undefined';\n\n// Maximum timeout value for setTimeout\n// For more information, refer to https://developer.mozilla.org/en-US/docs/Web/API/setTimeout#maximum_delay_value\nexport const MAX_TIMEOUT = Math.pow(2, 31) - 1;\n\n// The amount of time (ms) to trigger the refresh before session expires\nexport const REFRESH_THRESHOLD = 20 * 1000; // 20 sec\n\nexport const OIDC_CLIENT_TS_DESCOPE_CDN_URL = `https://descopecdn.com/npm/oidc-client-ts@${OIDC_CLIENT_TS_VERSION}/dist/browser/oidc-client-ts.min.js`;\nexport const OIDC_CLIENT_TS_JSDELIVR_CDN_URL = `https://cdn.jsdelivr.net/npm/oidc-client-ts@${OIDC_CLIENT_TS_VERSION}/dist/browser/oidc-client-ts.min.js`;\n","import { jwtDecode, JwtPayload } from 'jwt-decode';\nimport logger from '../helpers/logger';\nimport { MAX_TIMEOUT, REFRESH_THRESHOLD } from '../../constants';\n\n/**\n * Get the JWT expiration WITHOUT VALIDATING the JWT\n * @param token The JWT to extract expiration from\n * @returns The Date for when the JWT expires or null if there is an issue\n */\nexport const getTokenExpiration = (\n token: string,\n sessionExpiration: number,\n) => {\n if (sessionExpiration) {\n return new Date(sessionExpiration * 1000);\n }\n\n logger.debug(\n 'Could not extract expiration time from session token, trying to decode the token',\n );\n try {\n const claims = jwtDecode<JwtPayload>(token);\n if (claims.exp) {\n return new Date(claims.exp * 1000);\n }\n } catch (e) {\n return null;\n }\n};\n\nexport const millisecondsUntilDate = (date: Date) =>\n date ? date.getTime() - new Date().getTime() : 0;\n\nexport const createTimerFunctions = () => {\n const timerIds: NodeJS.Timeout[] = [];\n\n const clearAllTimers = () => {\n while (timerIds.length) {\n clearTimeout(timerIds.pop());\n }\n };\n\n const setTimer = (cb: () => void, timeout: number) => {\n timerIds.push(setTimeout(cb, timeout));\n };\n\n return { clearAllTimers, setTimer };\n};\n\nexport const getAutoRefreshTimeout = (sessionExpiration: Date) => {\n let timeout = millisecondsUntilDate(sessionExpiration) - REFRESH_THRESHOLD;\n\n if (timeout > MAX_TIMEOUT) {\n logger.debug(\n `Timeout is too large (${timeout}ms), setting it to ${MAX_TIMEOUT}ms`,\n );\n timeout = MAX_TIMEOUT;\n }\n\n return timeout;\n};\n","/** Default name for the session cookie name / local storage key */\nexport const SESSION_TOKEN_KEY = 'DS';\n/** Default name for the refresh local storage key */\nexport const REFRESH_TOKEN_KEY = 'DSR';\n/* Default name for the id token local storage key */\nexport const ID_TOKEN_KEY = 'DSI';\n","import { JWTResponse } from '@descope/core-js-sdk';\nimport Cookies from 'js-cookie';\nimport { BeforeRequestHook, WebJWTResponse } from '../../types';\nimport {\n ID_TOKEN_KEY,\n REFRESH_TOKEN_KEY,\n SESSION_TOKEN_KEY,\n} from './constants';\nimport {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport { CookieConfig, SameSite } from './types';\n\n/**\n * Store the session JWT as a cookie on the given domain and path with the given expiration.\n * This is useful so that the application backend will automatically get the cookie for the session\n * @param name cookie name\n * @param value The JWT to store as a cookie\n * @param cookieParams configuration that is usually returned from the JWT\n */\nfunction setJwtTokenCookie(\n name: string,\n value: string,\n authInfo: Partial<\n WebJWTResponse & { cookieSameSite: SameSite; cookieSecure: boolean }\n >,\n) {\n if (value) {\n const {\n cookieDomain,\n cookiePath,\n cookieSameSite,\n cookieExpiration,\n cookieSecure,\n } = authInfo;\n const expires = new Date(cookieExpiration * 1000); // we are getting response from the server in seconds instead of ms\n // Since its a JS cookie, we don't set the domain because we want the cookie to be on the same domain as the application\n const domainMatches = isCurrentDomainOrParentDomain(cookieDomain);\n Cookies.set(name, value, {\n path: cookiePath,\n domain: domainMatches ? cookieDomain : undefined,\n expires,\n sameSite: cookieSameSite,\n secure: cookieSecure,\n });\n }\n}\n\n/*\n * Check if the cookie domain is the same as the current domain or the parent domain\n * Examples:\n * 1. cookie domain: 'example.com', current domain: 'example.com' => true\n * 2. cookie domain: 'example.com', current domain: 'sub.example.com' => true\n * 3. cookie domain: 'example.com', current domain: 'sub.sub.example.com' => true\n * 4. cookie domain: 'example.com', current domain: 'another.com' => false\n * 5. cookie domain: 'example.com', current domain: 'example.co.il' => false\n */\nfunction isCurrentDomainOrParentDomain(cookieDomain: string): boolean {\n const currentDomain = window.location.hostname;\n const currentDomainParts = currentDomain.split('.');\n const cookieDomainParts = cookieDomain.split('.');\n\n // check if the cookie domain items are the last items in the current domain\n const currentDomainSuffix = currentDomainParts\n .slice(-cookieDomainParts.length)\n .join('.');\n return currentDomainSuffix === cookieDomain;\n}\n\nexport const persistTokens = (\n authInfo = {} as Partial<WebJWTResponse>,\n sessionTokenViaCookie: boolean | CookieConfig = false,\n storagePrefix = '',\n) => {\n // persist refresh token\n const { sessionJwt, refreshJwt } = authInfo;\n refreshJwt &&\n setLocalStorage(`${storagePrefix}${REFRESH_TOKEN_KEY}`, refreshJwt);\n\n // persist session token\n if (sessionJwt) {\n if (sessionTokenViaCookie) {\n // Cookie configs will fallback to default values in both cases\n // 1. sessionTokenViaCookie is a boolean\n // 2. sessionTokenViaCookie is an object without the property\n const cookieSameSite = sessionTokenViaCookie['sameSite'] || 'Strict';\n const cookieSecure = sessionTokenViaCookie['secure'] ?? true;\n setJwtTokenCookie(SESSION_TOKEN_KEY, sessionJwt, {\n ...(authInfo as Partial<JWTResponse>),\n cookieSameSite,\n cookieSecure,\n });\n } else {\n setLocalStorage(`${storagePrefix}${SESSION_TOKEN_KEY}`, sessionJwt);\n }\n }\n\n if (authInfo.idToken) {\n setLocalStorage(`${storagePrefix}${ID_TOKEN_KEY}`, authInfo.idToken);\n }\n};\n\n/** Return the refresh token from the localStorage. Not for production usage because refresh token will not be saved in localStorage. */\nexport function getRefreshToken(prefix: string = '') {\n return getLocalStorage(`${prefix}${REFRESH_TOKEN_KEY}`) || '';\n}\n\n/**\n * Return the session token. first try to get from cookie, and fallback to local storage\n * See sessionTokenViaCookie option for more details about session token location\n */\nexport function getSessionToken(prefix: string = ''): string {\n return (\n Cookies.get(SESSION_TOKEN_KEY) ||\n getLocalStorage(`${prefix}${SESSION_TOKEN_KEY}`) ||\n ''\n );\n}\n\nexport function getIdToken(prefix: string = ''): string {\n return getLocalStorage(`${prefix}${ID_TOKEN_KEY}`) || '';\n}\n\n/** Remove both the localStorage refresh JWT and the session cookie */\nexport function clearTokens(prefix: string = '') {\n removeLocalStorage(`${prefix}${REFRESH_TOKEN_KEY}`);\n removeLocalStorage(`${prefix}${SESSION_TOKEN_KEY}`);\n removeLocalStorage(`${prefix}${ID_TOKEN_KEY}`);\n Cookies.remove(SESSION_TOKEN_KEY);\n}\n\nexport const beforeRequest =\n (prefix?: string): BeforeRequestHook =>\n (config) => {\n return Object.assign(config, {\n token: config.token || getRefreshToken(prefix),\n });\n };\n","import { IS_BROWSER } from '../../constants';\n\nconst FINGERPRINT_PUBLIC_KEY = 'fingerprint.public.key';\nconst FINGERPRINT_ENDPOINT_URL = 'fingerprint.endpoint.url';\n\n/** Fingerprint.js cloudflare integration */\nexport const FP_EP_URL =\n (IS_BROWSER && localStorage?.getItem(FINGERPRINT_ENDPOINT_URL)) ||\n 'https://api.descope.com';\nexport const FP_CF_ENDPOINT_PATH = '/fXj8gt3x8VulJBna/x96Emn69oZwcd7I6';\nexport const FP_CF_SCRIPT_PATH = '/fXj8gt3x8VulJBna/w78aRZnnDZ3Aqw0I';\n/** Fingerprint visitor data */\nexport const FP_BODY_DATA = 'fpData';\n/** Session ID for visitor */\nexport const VISITOR_SESSION_ID_PARAM = 'vsid';\n/** Request ID for visitor */\nexport const VISITOR_REQUEST_ID_PARAM = 'vrid';\n/** FP storage key */\nexport const FP_STORAGE_KEY = 'fp';\n// Storage FP Keys TTL is 24 hours\nexport const STORAGE_TTL_MS = 24 * 60 * 60 * 1000;\n","import {\n load,\n defaultEndpoint,\n defaultScriptUrlPattern,\n} from '@fingerprintjs/fingerprintjs-pro';\nimport {\n FP_EP_URL,\n FP_CF_ENDPOINT_PATH,\n FP_CF_SCRIPT_PATH,\n FP_STORAGE_KEY,\n STORAGE_TTL_MS,\n VISITOR_REQUEST_ID_PARAM,\n VISITOR_SESSION_ID_PARAM,\n} from './constants';\nimport { FingerprintObject } from './types';\n\nconst createFingerprintObject = (\n sessionId: string,\n requestId: string,\n): FingerprintObject => ({\n [VISITOR_SESSION_ID_PARAM]: sessionId,\n [VISITOR_REQUEST_ID_PARAM]: requestId,\n});\n\n/** Generate UUID based on current time and some randomness */\nconst generateUUID = () => {\n // return alphanumeric, sortable uuid of 27 characters\n return (\n Date.now().toString(36) +\n Math.random().toString(36).substring(2) + // removing '0.' prefix\n Math.random().toString(36).substring(2)\n ).substring(0, 27);\n};\n\n// Set FP data to storage with expiration\n// We set the request id and session id together so they will have the same TTL\n// This implementation is based on https://www.sohamkamani.com/javascript/localstorage-with-ttl-expiry/\nconst setFPToStorage = (value: FingerprintObject) => {\n const now = new Date();\n // `item` is an object which contains the value\n // as well as the time when it's supposed to expire\n const item = {\n value,\n expiry: now.getTime() + STORAGE_TTL_MS,\n };\n localStorage.setItem(FP_STORAGE_KEY, JSON.stringify(item));\n};\n\n// Get Fingerprint from storage, will return null if not exists, or if expired\nconst getFPFromStorage = (returnExpired = false): FingerprintObject => {\n const itemStr = localStorage.getItem(FP_STORAGE_KEY);\n // if the item doesn't exist, return null\n if (!itemStr) {\n return null;\n }\n const item = JSON.parse(itemStr);\n const now = new Date();\n // compare the expiry time of the item with the current time\n // return null if needed\n if (now.getTime() > item.expiry && !returnExpired) {\n return null;\n }\n return item.value;\n};\n\n/**\n * Ensure fingerprint ids (request id, session id) exist.\n * If not, It will generate and load them into to browser storage.\n * NOTE: Using fingerprintJS data has cost, use considerably.\n * @param fpKey FingerprintJS API key\n */\nexport const ensureFingerprintIds = async (\n fpKey: string,\n baseUrl = FP_EP_URL,\n) => {\n try {\n if (getFPFromStorage()) {\n // FP is already in storage, no need to\n return;\n }\n\n const sessionId = generateUUID();\n\n const endpointUrl = new URL(baseUrl);\n endpointUrl.pathname = FP_CF_ENDPOINT_PATH;\n\n const patterUrl = new URL(baseUrl);\n patterUrl.pathname = FP_CF_SCRIPT_PATH;\n const scriptUrlPattern =\n patterUrl.toString() +\n '?apiKey=<apiKey>&version=<version>&loaderVersion=<loaderVersion>';\n\n // load from FingerprintJS\n const agentP = load({\n apiKey: fpKey,\n endpoint: [\n endpointUrl.toString(),\n defaultEndpoint, // Fallback to default endpoint in case of error\n ],\n scriptUrlPattern: [\n scriptUrlPattern,\n defaultScriptUrlPattern, // Fallback to default CDN in case of error\n ],\n });\n\n const agent = await agentP;\n const { requestId } = await agent.get({ linkedId: sessionId });\n const fpData = createFingerprintObject(sessionId, requestId);\n setFPToStorage(fpData);\n } catch (ex) {\n // eslint-disable-next-line no-console\n console.warn('Could not load fingerprint', ex);\n }\n};\n\n/**\n * Get Fingerprint data (request ids) from storage, or create empty object\n * If data is expired, return it anyway\n */\nexport const getFingerprintData = (): FingerprintObject | null => {\n // get from storage if exists\n return getFPFromStorage(true);\n};\n\n/** Clear Fingerprint data from storage */\nexport const clearFingerprintData = () => {\n localStorage.removeItem(FP_STORAGE_KEY);\n};\n","import { IS_BROWSER } from '../../constants';\nimport { CreateWebSdk } from '../../sdk';\nimport { BeforeRequestHook } from '../../types';\nimport { addHooks } from '../helpers';\nimport { FP_BODY_DATA } from './constants';\nimport { ensureFingerprintIds, getFingerprintData } from './helpers';\nimport { FingerprintOptions } from './types';\n\nconst beforeRequest: BeforeRequestHook = (config) => {\n const data = getFingerprintData();\n if (data && config.body) {\n config.body[FP_BODY_DATA] = data;\n }\n\n return config;\n};\n\n/**\n * Add fingerprint data to outgoing requests\n */\nexport const withFingerprint =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({ fpKey, fpLoad, ...config }: Parameters<T>[0] & FingerprintOptions) => {\n if (!IS_BROWSER) {\n // Fingerprint is a client side only capability and will not work when running in the server (SSR)\n return createSdk(config);\n }\n\n // load fingerprint now if needed\n if (fpKey && fpLoad) {\n ensureFingerprintIds(fpKey).catch(\n // istanbul ignore next\n () => null,\n );\n }\n\n // Hook added always because fingerprint can be dynamic using flows\n return createSdk(addHooks(config, { beforeRequest }));\n };\n","/** Login Id of the last user logged in */\nexport const LOCAL_STORAGE_LAST_USER_LOGIN_ID = 'dls_last_user_login_id';\n\n/** Display name of the last user logged in */\nexport const LOCAL_STORAGE_LAST_USER_DISPLAY_NAME =\n 'dls_last_user_display_name';\n","import {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport {\n LOCAL_STORAGE_LAST_USER_LOGIN_ID,\n LOCAL_STORAGE_LAST_USER_DISPLAY_NAME,\n} from './constants';\n\nexport const setLastUserLoginId = (loginId: string) => {\n return setLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID, loginId);\n};\n\nexport const getLastUserLoginId = () => {\n return getLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID);\n};\n\nexport const removeLastUserLoginId = () => {\n return removeLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID);\n};\n\nexport const setLastUserDisplayName = (displayName: string) => {\n return setLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME, displayName);\n};\n\nexport const getLastUserDisplayName = () => {\n return getLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME);\n};\n\nexport const removeLastUserDisplayName = () => {\n return removeLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME);\n};\n","import { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook, CoreSdk } from '../../types';\nimport { addHooks, getUserFromResponse } from '../helpers';\nimport {\n getLastUserLoginId,\n removeLastUserLoginId,\n setLastUserLoginId,\n getLastUserDisplayName,\n removeLastUserDisplayName,\n setLastUserDisplayName,\n} from './helpers';\nimport { LastLoggedInUserOptions } from './types';\n\n/**\n * Adds last logged in user to flow start request\n */\n// eslint-disable-next-line import/exports-last\nexport const withLastLoggedInUser =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({\n storeLastAuthenticatedUser = true,\n keepLastAuthenticatedUserAfterLogout = false,\n ...config\n }: Parameters<T>[0] & LastLoggedInUserOptions): ReturnType<T> & {\n getLastUserLoginId: typeof getLastUserLoginId;\n getLastUserDisplayName: typeof getLastUserDisplayName;\n } => {\n if (!storeLastAuthenticatedUser) {\n // We assign getLastUserLoginId and getLastUserDisplayName to the sdk\n // To keep the return type consistent\n return Object.assign(createSdk(config), {\n getLastUserLoginId,\n getLastUserDisplayName,\n }) as any;\n }\n const afterRequest: AfterRequestHook = async (_req, res) => {\n const userDetails = await getUserFromResponse(res);\n const loginId = userDetails?.loginIds?.[0];\n const displayName = userDetails?.name;\n if (loginId) {\n setLastUserLoginId(loginId);\n setLastUserDisplayName(displayName);\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n let wrappedSdk = wrapWith(sdk, ['flow.start'], startWrapper);\n wrappedSdk = wrapWith(\n wrappedSdk,\n ['logout', 'logoutAll'],\n logoutWrapper(keepLastAuthenticatedUserAfterLogout),\n );\n return Object.assign(wrappedSdk, {\n getLastUserLoginId,\n getLastUserDisplayName,\n }) as any;\n };\n\nconst startWrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n args[1] = args[1] || {};\n const [, options = {}] = args as unknown as Parameters<\n CoreSdk['flow']['start']\n >;\n const loginId = getLastUserLoginId();\n const displayName = getLastUserDisplayName();\n\n if (loginId) {\n options.lastAuth ??= {};\n options.lastAuth.loginId = loginId;\n options.lastAuth.name = displayName;\n }\n\n const resp = await fn(...args);\n\n return resp;\n };\n\nconst logoutWrapper =\n (keepOnLogout?: boolean): SdkFnWrapper<{}> =>\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n if (keepOnLogout) {\n return resp;\n }\n\n removeLastUserLoginId();\n removeLastUserDisplayName();\n\n return resp;\n };\n","// create publisher/subscriber instances\nexport function createPubSub<T extends any>() {\n const cbs = [];\n\n const sub = (cb: (data: T) => void) => {\n const idx = cbs.push(cb) - 1;\n return () => cbs.splice(idx, 1);\n };\n\n const pub = (data: T) => {\n cbs.forEach((cb) => cb(data));\n };\n\n return { pub, sub };\n}\n","import { SdkFnWrapper, UserResponse, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk, WebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n getUserFromResponse,\n} from '../helpers';\nimport { createPubSub } from './helpers';\n\n/**\n * Adds 3 event functions to the sdk,\n * onSessionTokenChange: Gets a callback and call it whenever there is a change in session token\n * onIsAuthenticatedChange: Gets a callback and call it whenever there is a change in authentication status\n * onUserChange: Gets a callback and call it whenever there is a change in current logged in user\n */\nexport const withNotifications =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0]) => {\n const sessionExpirationPS = createPubSub<number | null>();\n const sessionPS = createPubSub<string | null>();\n const userPS = createPubSub<UserResponse | null>();\n\n const afterRequest: AfterRequestHook = async (_req, res) => {\n if (res?.status === 401) {\n sessionPS.pub(null);\n userPS.pub(null);\n sessionExpirationPS.pub(null);\n } else {\n const userDetails = await getUserFromResponse(res);\n if (userDetails) userPS.pub(userDetails);\n\n const { sessionJwt, sessionExpiration } =\n await getAuthInfoFromResponse(res);\n\n if (sessionJwt) sessionPS.pub(sessionJwt);\n\n if (sessionExpiration || sessionJwt) {\n // We also publish the session expiration if there is a session jwt\n // as a temporary fix for the issue where the session expiration is not\n // being sent in the response in Flows (42 is a magic number)\n sessionExpirationPS.pub(sessionExpiration || 42);\n }\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n const wrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n\n sessionPS.pub(null);\n userPS.pub(null);\n sessionExpirationPS.pub(null);\n\n return resp;\n };\n\n const wrappedSdk = wrapWith(\n sdk,\n ['logout', 'logoutAll', 'oidc.logout'],\n wrapper,\n );\n\n return Object.assign(wrappedSdk, {\n onSessionTokenChange: sessionPS.sub,\n onUserChange: userPS.sub,\n onIsAuthenticatedChange: (cb: (isAuthenticated: boolean) => void) => {\n // If and only if there is a session expiration, then the user is authenticated\n return sessionExpirationPS.sub((exp) => {\n cb(!!exp);\n });\n },\n });\n };\n","/* eslint-disable import/exports-last */\nimport { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { IS_BROWSER } from '../../constants';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport { addHooks, getAuthInfoFromResponse } from '../helpers';\nimport {\n beforeRequest,\n clearTokens,\n getRefreshToken,\n getSessionToken,\n persistTokens,\n getIdToken,\n} from './helpers';\nimport { CookieConfig, PersistTokensOptions } from './types';\n\n/**\n * Persist authentication tokens in cookie/storage\n */\nexport const withPersistTokens =\n <T extends CreateWebSdk>(createSdk: T) =>\n <A extends CookieConfig>({\n persistTokens: isPersistTokens,\n sessionTokenViaCookie,\n storagePrefix,\n ...config\n }: Parameters<T>[0] & PersistTokensOptions<A>): A extends false\n ? ReturnType<T>\n : ReturnType<T> & {\n getRefreshToken: () => string;\n getSessionToken: () => string;\n getIdToken: () => string;\n } => {\n if (!isPersistTokens || !IS_BROWSER) {\n if (isPersistTokens) {\n // Storing auth tokens in local storage and cookies are a client side only capabilities\n // and will not be done when running in the server\n }\n return createSdk(config) as any;\n }\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n const isManagementApi = /^\\/v\\d+\\/mgmt\\//.test(req.path);\n\n if (res?.status === 401) {\n if (!isManagementApi) {\n clearTokens(storagePrefix);\n }\n } else {\n persistTokens(\n await getAuthInfoFromResponse(res),\n sessionTokenViaCookie,\n storagePrefix,\n );\n }\n };\n\n const sdk = createSdk(\n addHooks(config, {\n beforeRequest: beforeRequest(storagePrefix),\n afterRequest,\n }),\n );\n\n const wrappedSdk = wrapWith(\n sdk,\n ['logout', 'logoutAll', 'oidc.logout'],\n wrapper(storagePrefix),\n );\n\n const refreshToken = () => getRefreshToken(storagePrefix);\n const sessionToken = () => getSessionToken(storagePrefix);\n const idToken = () => getIdToken(storagePrefix);\n\n return Object.assign(wrappedSdk, {\n getRefreshToken: refreshToken,\n getSessionToken: sessionToken,\n getIdToken: idToken,\n }) as any;\n };\n\nconst wrapper =\n (prefix?: string): SdkFnWrapper<{}> =>\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n\n clearTokens(prefix);\n\n return resp;\n };\n\nexport default withPersistTokens;\n","import { JWTResponse, SdkResponse, ResponseData } from '@descope/core-js-sdk';\nimport { IS_BROWSER } from '../constants';\nimport { CoreSdk, PasskeyOptions } from '../types';\n\ntype CreateWebauthn = typeof createWebAuthn;\n\nconst withCoreFns =\n <I extends Parameters<CreateWebauthn>, O extends ReturnType<CreateWebauthn>>(\n creator: (...args: I) => O,\n ) =>\n (...args: I) => {\n const obj = creator(...args);\n\n Object.assign(obj.signUp, args[0].webauthn.signUp);\n Object.assign(obj.signIn, args[0].webauthn.signIn);\n Object.assign(obj.signUpOrIn, args[0].webauthn.signUpOrIn);\n Object.assign(obj.update, args[0].webauthn.update);\n\n return obj as {\n [K in keyof O]: K extends keyof I[0]['webauthn']\n ? O[K] & I[0]['webauthn'][K]\n : O[K];\n };\n };\n\n/** Constructs a higher level WebAuthn API that wraps the functions from code-js-sdk */\nconst createWebAuthn = (sdk: CoreSdk) => ({\n async signUp(\n identifier: string,\n name: string,\n passkeyOptions?: PasskeyOptions,\n ) {\n const startResponse = await sdk.webauthn.signUp.start(\n identifier,\n window.location.origin,\n name,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signUp.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n },\n\n async signIn(identifier: string, passkeyOptions?: PasskeyOptions) {\n const startResponse = await sdk.webauthn.signIn.start(\n identifier,\n window.location.origin,\n undefined,\n undefined,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n const getResponse = await get(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signIn.finish(\n startResponse.data.transactionId,\n getResponse,\n );\n return finishResponse;\n },\n\n async signUpOrIn(identifier: string, passkeyOptions?: PasskeyOptions) {\n const startResponse = await sdk.webauthn.signUpOrIn.start(\n identifier,\n window.location.origin,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n if (startResponse.data?.create) {\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signUp.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n } else {\n const getResponse = await get(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signIn.finish(\n startResponse.data.transactionId,\n getResponse,\n );\n return finishResponse;\n }\n },\n\n async update(\n identifier: string,\n token: string,\n passkeyOptions?: PasskeyOptions,\n ) {\n const startResponse = await sdk.webauthn.update.start(\n identifier,\n window.location.origin,\n token,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as SdkResponse<ResponseData>;\n }\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.update.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n },\n\n /** Helper functions for working with WebAuthn browser APIs using JSON data */\n helpers: {\n /** Wraps the navigation.credentials.create call to translate JSON inputs and outputs */\n create,\n /** Wraps the navigation.credentials.get call to translate JSON inputs and outputs */\n get,\n /** Checks if the browser supports WebAuthn, and can optionally require in\n * addition that the browser supports WebAuthn with built-in biometrics */\n isSupported,\n conditional,\n },\n});\n\n// Helpers functions\n\nasync function create(options: string): Promise<string> {\n const createOptions = decodeCreateOptions(options);\n const createResponse = (await navigator.credentials.create(\n createOptions,\n )) as AttestationPublicKeyCredential;\n return encodeCreateResponse(createResponse);\n}\n\nasync function get(options: string): Promise<string> {\n const getOptions = decodeGetOptions(options);\n const getResponse = (await navigator.credentials.get(\n getOptions,\n )) as AssertionPublicKeyCredential;\n return encodeGetResponse(getResponse);\n}\n\n/**\n * This function should be used in passkeys autofill (conditional UI)\n * It handles the call to \"navigator.credentials.get\" and adds the required options\n * @param options webauthn start options\n * @param abort: AbortController instance\n * @returns encoded \"navigator.credentials.get\" response\n */\nasync function conditional(\n options: string,\n abort: AbortController,\n): Promise<string> {\n const getOptions = decodeGetOptions(options);\n getOptions.signal = abort.signal;\n getOptions.mediation = 'conditional' as any;\n const getResponse = (await navigator.credentials.get(\n getOptions,\n )) as AssertionPublicKeyCredential;\n return encodeGetResponse(getResponse);\n}\n\n// eslint-disable-next-line import/exports-last\nexport async function isSupported(\n requirePlatformAuthenticator: boolean = false,\n): Promise<boolean> {\n if (!IS_BROWSER) {\n return Promise.resolve(false);\n }\n const supported = !!(\n window.PublicKeyCredential &&\n navigator.credentials &&\n navigator.credentials.create &&\n navigator.credentials.get\n );\n if (\n supported &&\n requirePlatformAuthenticator &&\n PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable\n ) {\n return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();\n }\n return supported;\n}\n\n// Conversion of data structures for Create/Attestation/Register ceremony\n\ntype AttestationPublicKeyCredential = PublicKeyCredential & {\n response: AuthenticatorAttestationResponse;\n};\n\nfunction decodeCreateOptions(value: string): CredentialCreationOptions {\n const options = JSON.parse(value);\n options.publicKey.challenge = decodeBase64Url(options.publicKey.challenge);\n options.publicKey.user.id = decodeBase64Url(options.publicKey.user.id);\n options.publicKey.excludeCredentials?.forEach((item: any) => {\n item.id = decodeBase64Url(item.id);\n });\n return options;\n}\n\nfunction encodeCreateResponse(\n credential: AttestationPublicKeyCredential,\n): string {\n return JSON.stringify({\n id: credential.id,\n rawId: encodeBase64Url(credential.rawId),\n type: credential.type,\n response: {\n attestationObject: encodeBase64Url(credential.response.attestationObject),\n clientDataJSON: encodeBase64Url(credential.response.clientDataJSON),\n },\n });\n}\n\n// Conversion of data structures for Get/Assertion/Login ceremony\n\ntype AssertionPublicKeyCredential = PublicKeyCredential & {\n response: AuthenticatorAssertionResponse;\n};\n\nfunction decodeGetOptions(value: string): CredentialRequestOptions {\n const options = JSON.parse(value);\n options.publicKey.challenge = decodeBase64Url(options.publicKey.challenge);\n options.publicKey.allowCredentials?.forEach((item: any) => {\n item.id = decodeBase64Url(item.id);\n });\n return options;\n}\n\nfunction encodeGetResponse(credential: AssertionPublicKeyCredential): string {\n return JSON.stringify({\n id: credential.id,\n rawId: encodeBase64Url(credential.rawId),\n type: credential.type,\n response: {\n authenticatorData: encodeBase64Url(credential.response.authenticatorData),\n clientDataJSON: encodeBase64Url(credential.response.clientDataJSON),\n signature: encodeBase64Url(credential.response.signature),\n userHandle: credential.response.userHandle\n ? encodeBase64Url(credential.response.userHandle)\n : undefined,\n },\n });\n}\n\n// Conversion between ArrayBuffers and Base64Url strings\n\nfunction decodeBase64Url(value: string): ArrayBufferLike {\n const base64 = value.replace(/_/g, '/').replace(/-/g, '+');\n return Uint8Array.from(atob(base64), (c) => c.charCodeAt(0)).buffer;\n}\n\nfunction encodeBase64Url(value: ArrayBufferLike): string {\n const base64 = btoa(String.fromCharCode.apply(null, new Uint8Array(value)));\n return base64.replace(/\\//g, '_').replace(/\\+/g, '-').replace(/=/g, '');\n}\n\n// Exports\nexport default withCoreFns(createWebAuthn);\n","export const apiPaths = {\n fedcm: {\n config: '/fedcm/config',\n },\n};\n","import { JWTResponse, SdkResponse, LoginOptions } from '@descope/core-js-sdk';\nimport { CoreSdk } from '../types';\nimport { IS_BROWSER } from '../constants';\nimport { apiPaths } from '../apiPaths';\n\n/**\n * Configuration for OneTap.\n */\ninterface OneTapConfig {\n /** Whether to auto select. Optional. */\n auto_select?: boolean;\n\n /** Whether to cancel on tap outside. Optional. */\n cancel_on_tap_outside?: boolean;\n\n /** ID of the prompt parent. Optional. */\n prompt_parent_id?: string;\n\n /** Context. Optional. */\n context?: 'signin' | 'signup' | 'use';\n\n /** Callback function to handle the intermediate iframe close event. Optional. */\n intermediate_iframe_close_callback?: () => void;\n\n /** Whether to support ITP. Optional. */\n itp_support?: boolean;\n\n /** Login hint. Optional. */\n login_hint?: string;\n\n /** HD. Optional. */\n hd?: string;\n\n /** Whether to use FedCM for prompt. Optional. */\n use_fedcm_for_prompt?: boolean;\n}\n\n/**\n * Response from the credential.\n */\ninterface CredentialResponse {\n /** Credential. */\n credential: string;\n\n /** How the selection was made. */\n select_by:\n | 'auto'\n | 'user'\n | 'user_1tap'\n | 'user_2tap'\n | 'btn'\n | 'btn_confirm'\n | 'btn_add_session'\n | 'btn_confirm_add_session';\n}\n\ninterface FedCMAssertionResponse {\n token: string;\n error: {\n code: string;\n url: string;\n };\n}\n\ninterface IdentityProviderConfig {\n configURL: string;\n clientId: string;\n}\n\ntype IdentityCredentialRequestOptionsContext =\n | 'signin'\n | 'signup'\n | 'use'\n | 'continue';\n\ninterface IdentityProviderRequestOptions extends IdentityProviderConfig {\n nonce?: string;\n loginHint?: string;\n domainHint?: string;\n}\n\ninterface IdentityCredentialRequestOptions {\n providers: IdentityProviderRequestOptions[];\n context?: IdentityCredentialRequestOptionsContext;\n}\n\ninterface FedCMCredentialRequestOptions {\n identity?: IdentityCredentialRequestOptions;\n}\n\ntype OneTapInitialize = ({\n client_id,\n callback,\n nonce,\n}: {\n client_id: string;\n callback: (res: CredentialResponse) => void;\n nonce: string;\n} & OneTapConfig) => void;\n\ntype PromptNotification = {\n isSkippedMoment: () => boolean;\n isDismissedMoment: () => boolean;\n getDismissedReason: () => string;\n getSkippedReason: () => string;\n};\n\n/**\n * Constructs a higher level FedCM API that wraps the functions from code-js-sdk.\n * @param sdk The CoreSdk instance.\n * @returns The FedCM API.\n */\nconst createFedCM = (sdk: CoreSdk, projectId: string) => ({\n async oneTap(\n provider?: string,\n oneTapConfig?: OneTapConfig,\n loginOptions?: LoginOptions,\n onSkip?: (reason?: string) => void,\n onDismissed?: (reason?: string) => void,\n ) {\n const readyProvider = provider ?? 'google';\n const startResponse = await sdk.oauth.startNative(\n readyProvider,\n loginOptions,\n true,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n\n const { clientId, stateId, nonce } = startResponse.data;\n const googleClient = await getGoogleClient();\n return new Promise((resolve) => {\n const callback = (res: CredentialResponse) => {\n resolve(\n sdk.oauth.finishNative(\n readyProvider,\n stateId,\n '',\n '',\n res.credential,\n ),\n );\n };\n\n // initialize google client\n googleClient.initialize({\n ...oneTapConfig,\n itp_support: oneTapConfig?.itp_support ?? true,\n use_fedcm_for_prompt: oneTapConfig?.use_fedcm_for_prompt ?? true,\n client_id: clientId,\n callback,\n nonce,\n });\n\n googleClient.prompt((notification) => {\n if (onDismissed && notification?.isDismissedMoment()) {\n const reason = notification.getDismissedReason?.();\n onDismissed?.(reason);\n return;\n }\n\n // Fallback to onSkip\n if (onSkip && notification?.isSkippedMoment()) {\n const reason = notification.getSkippedReason?.();\n onSkip?.(reason);\n return;\n }\n });\n });\n },\n async launch(\n context?: IdentityCredentialRequestOptionsContext,\n ): Promise<SdkResponse<JWTResponse>> {\n const configURL = sdk.httpClient.buildUrl(\n projectId + apiPaths.fedcm.config,\n );\n const req: FedCMCredentialRequestOptions = {\n identity: {\n context: context || 'signin',\n providers: [\n {\n configURL,\n clientId: projectId,\n },\n ],\n },\n };\n const res = await navigator.credentials?.get(req as any);\n return sdk.refresh((res as any as FedCMAssertionResponse).token);\n },\n isSupported(): boolean {\n return IS_BROWSER && 'IdentityCredential' in window;\n },\n async isLoggedIn(\n context?: IdentityCredentialRequestOptionsContext,\n ): Promise<boolean> {\n const configURL = sdk.httpClient.buildUrl(\n projectId + apiPaths.fedcm.config,\n );\n try {\n const req: FedCMCredentialRequestOptions = {\n identity: {\n context: context || 'signin',\n providers: [\n {\n configURL,\n clientId: projectId,\n },\n ],\n },\n };\n const res = await navigator.credentials?.get(req as any);\n return !!res && !!(res as any as FedCMAssertionResponse).token;\n } catch (e) {\n // Any error likely indicates no active session.\n return false;\n }\n },\n});\n\n// Helpers functions\nasync function getGoogleClient(): Promise<{\n initialize: OneTapInitialize;\n prompt: (cb: (notification: PromptNotification) => void) => void;\n}> {\n return new Promise((resolve, reject) => {\n if ((window as any).google) {\n resolve((window as any).google.accounts.id);\n return;\n }\n\n /* istanbul ignore next */\n let googleScript = document.getElementById(\n 'google-gsi-client-script',\n ) as HTMLScriptElement;\n\n /* istanbul ignore next */\n if (!googleScript) {\n googleScript = document.createElement('script');\n document.head.appendChild(googleScript);\n googleScript.async = true;\n googleScript.defer = true;\n googleScript.id = 'google-gsi-client-script';\n googleScript.src = 'https://accounts.google.com/gsi/client';\n }\n\n /* istanbul ignore next */\n googleScript.onload = function () {\n if ((window as any).google) {\n resolve((window as any).google.accounts.id);\n } else {\n reject('Failed to load Google GSI client script - not loaded properly');\n }\n };\n /* istanbul ignore next */\n googleScript.onerror = function () {\n reject('Failed to load Google GSI client script - failed to load');\n };\n });\n}\n\nexport default createFedCM;\nexport type { OneTapConfig };\n","import { CoreSdk, ReplaceParam } from '../types';\nimport { isSupported } from './webauthn';\n\ntype CoreSdkFlowStartArgs = Parameters<CoreSdk['flow']['start']>;\ntype Options = Pick<\n CoreSdkFlowStartArgs[1],\n | 'tenant'\n | 'redirectUrl'\n | 'redirectAuth'\n | 'oidcIdpStateId'\n | 'samlIdpStateId'\n | 'samlIdpUsername'\n | 'ssoAppId'\n | 'thirdPartyAppId'\n | 'oidcLoginHint'\n | 'preview'\n | 'abTestingKey'\n | 'client'\n | 'locale'\n | 'oidcPrompt'\n | 'oidcErrorRedirectUri'\n | 'nativeOptions'\n | 'thirdPartyAppStateId'\n | 'applicationScopes'\n> & {\n lastAuth?: Omit<CoreSdkFlowStartArgs[1]['lastAuth'], 'loginId' | 'name'>;\n};\n\nconst START_OPTIONS_VERSION_PREFER_START_REDIRECT_URL = 1;\n\nexport default (coreSdk: CoreSdk) => ({\n ...coreSdk.flow,\n // wrap start fn and adds more data to the start options\n start: async (...args: ReplaceParam<CoreSdkFlowStartArgs, '1', Options>) => {\n const webAuthnSupport = await isSupported();\n const decoratedOptions = {\n location: window.location.href,\n ...args[1],\n deviceInfo: {\n webAuthnSupport,\n },\n startOptionsVersion: START_OPTIONS_VERSION_PREFER_START_REDIRECT_URL,\n };\n\n args[1] = decoratedOptions;\n\n return coreSdk.flow.start(...args);\n },\n});\n","export const hasOidcParamsInUrl = () => {\n return (\n window.location.search.includes('code') &&\n window.location.search.includes('state')\n );\n};\n\nexport const removeOidcParamFromUrl = () => {\n // Retrieve the current URL from the browser's address bar\n const currentUrl = new URL(window.location.href);\n\n // Remove the 'code' and 'state' query parameters if it exist\n currentUrl.searchParams.delete('code');\n currentUrl.searchParams.delete('state');\n\n // Update the URL displayed in the browser without reloading the page\n window.history.replaceState({}, document.title, currentUrl.toString());\n};\n","import { RequestConfig, SdkResponse, URLResponse } from '@descope/core-js-sdk';\nimport type {\n CreateSigninRequestArgs,\n CreateSignoutRequestArgs,\n OidcClient,\n OidcClientSettings,\n SigninResponse,\n WebStorageStateStore,\n} from 'oidc-client-ts';\nimport {\n OIDC_CLIENT_TS_DESCOPE_CDN_URL,\n OIDC_CLIENT_TS_JSDELIVR_CDN_URL,\n} from '../../constants';\nimport { getIdToken } from '../../enhancers/withPersistTokens/helpers';\nimport { CoreSdk, OidcConfig, OidcConfigOptions } from '../../types';\nimport { hasOidcParamsInUrl, removeOidcParamFromUrl } from './helpers';\n\ntype OidcModule = {\n OidcClient: typeof OidcClient;\n WebStorageStateStore: typeof WebStorageStateStore;\n};\n\ntype SignInResponseStorage = Pick<\n SigninResponse,\n 'id_token' | 'session_state' | 'profile'\n>;\n\nlet scriptLoadingPromise: Promise<OidcModule>;\n\nconst simpleHash = (input: string): string => {\n let hash = 0;\n\n for (let i = 0; i < input.length; i++) {\n const char = input.charCodeAt(i);\n hash = (hash << 5) - hash + char;\n hash = hash & hash; // Convert to 32-bit integer\n }\n\n return Math.abs(hash).toString(16); // Return hash as a positive hexadecimal string\n};\n\nconst loadScriptWithFallback = (\n urls: string[],\n getEntry: () => OidcModule,\n): Promise<OidcModule> => {\n return new Promise((resolve, reject) => {\n if (!urls.length)\n return reject(new Error('No URLs provided to loadScriptWithFallback'));\n\n const entry = getEntry();\n if (entry) return resolve(entry);\n\n const url = urls.shift();\n\n const scriptEle = document.createElement('script');\n scriptEle.src = url;\n scriptEle.id = simpleHash(url);\n scriptEle.onload = () => {\n const entry = getEntry();\n if (entry) return resolve(entry);\n throw new Error('Could not get entry after loading script from URL');\n };\n scriptEle.addEventListener('error', () => {\n loadScriptWithFallback(urls, getEntry);\n scriptEle.setAttribute('data-error', 'true');\n });\n document.body.appendChild(scriptEle);\n });\n};\n\nconst loadOIDCModule = async (): Promise<OidcModule> => {\n try {\n return import('oidc-client-ts');\n } catch (e) {\n return loadScriptWithFallback(\n [OIDC_CLIENT_TS_DESCOPE_CDN_URL, OIDC_CLIENT_TS_JSDELIVR_CDN_URL],\n () => window['oidc'],\n );\n }\n};\n\nfunction oidcSignInResToStorage(\n signInRes: SigninResponse,\n): SignInResponseStorage {\n return {\n id_token: signInRes.id_token,\n session_state: signInRes.session_state,\n profile: signInRes.profile,\n };\n}\n\nconst getUserFromStorage = (\n stateUserKey: string,\n): SignInResponseStorage | null => {\n const user = window.localStorage.getItem(stateUserKey);\n return user ? JSON.parse(user) : null;\n};\n\nconst getOidcClient = async (\n sdk: CoreSdk,\n projectId: string,\n oidcConfig?: OidcConfigOptions,\n) => {\n if (!scriptLoadingPromise) {\n scriptLoadingPromise = loadOIDCModule();\n }\n const { OidcClient, WebStorageStateStore } = await scriptLoadingPromise;\n\n if (!OidcClient) {\n throw new Error(\n 'oidc-client-ts is not installed. Please install it by running `npm install oidc-client-ts`',\n );\n }\n\n const clientId = projectId;\n const redirectUri = oidcConfig?.redirectUri || window.location.href;\n const scope =\n oidcConfig?.scope ||\n 'openid email roles descope.custom_claims offline_access';\n const stateUserKey = `${clientId}_user`;\n\n let authority = sdk.httpClient.buildUrl(projectId);\n if (oidcConfig?.applicationId) {\n // append the applicationId to the authority\n authority = `${authority}/${oidcConfig.applicationId}`;\n }\n\n const settings: OidcClientSettings = {\n authority,\n client_id: projectId,\n redirect_uri: redirectUri,\n response_type: 'code',\n scope,\n stateStore: new WebStorageStateStore({\n store: window.localStorage,\n prefix: clientId,\n }),\n loadUserInfo: true,\n fetchRequestCredentials: 'same-origin',\n };\n\n if (oidcConfig?.redirectUri) {\n settings.redirect_uri = oidcConfig.redirectUri;\n }\n if (oidcConfig?.scope) {\n settings.scope = oidcConfig.scope;\n }\n return {\n client: new OidcClient(settings),\n stateUserKey,\n };\n};\n\nconst createOidc = (\n sdk: CoreSdk,\n projectId: string,\n oidcConfig?: OidcConfig,\n) => {\n const getCachedClient = async (): Promise<{\n client: OidcClient;\n stateUserKey: string;\n }> => {\n let client, stateUserKey;\n if (!client || !stateUserKey) {\n ({ client, stateUserKey } = await getOidcClient(\n sdk,\n projectId,\n oidcConfig as OidcConfigOptions,\n ));\n }\n return { client, stateUserKey };\n };\n\n // Start the login process by creating a signin request\n // And redirecting the user to the returned URL\n const login = async (\n arg: CreateSigninRequestArgs = {},\n disableNavigation: boolean = false,\n ): Promise<SdkResponse<URLResponse>> => {\n const { client } = await getCachedClient();\n const res = await client.createSigninRequest(arg);\n const { url } = res;\n if (!disableNavigation) {\n window.location.href = url;\n }\n return { ok: true, data: res };\n };\n\n // Finish the login process by processing the signin response\n // This function should be called after the user is redirected from the OIDC IdP\n const finishLogin = async (url: string = ''): Promise<any> => {\n const { client, stateUserKey } = await getCachedClient();\n const res = await client.processSigninResponse(url || window.location.href);\n\n // In order to make sure all the after-hooks are running with the success response\n // we are generating a fake response with the success data and calling the http client after hook fn with it\n await sdk.httpClient.hooks?.afterRequest(\n {} as any,\n new Response(JSON.stringify(res)),\n );\n\n window.localStorage.setItem(\n stateUserKey,\n JSON.stringify(oidcSignInResToStorage(res)),\n );\n // remove the code from the URL\n removeOidcParamFromUrl();\n\n return res;\n };\n\n // Finish the login process if the OIDC params are in the URL, if not, do nothing\n // This function should be called after the user is redirected\n // Note: high level SDKs should call this function to check if the user is in the middle of the login process\n // Asaf - alternative name: conditionallyFinishLogin\n const finishLoginIfNeed = async (url: string = ''): Promise<any> => {\n if (hasOidcParamsInUrl()) {\n return await finishLogin(url);\n }\n };\n\n // Start the logout process by creating a signout request\n // And redirecting the user to the returned URL\n const logout = async (\n arg?: CreateSignoutRequestArgs,\n disableNavigation: boolean = false,\n ): Promise<any> => {\n const { client, stateUserKey } = await getCachedClient();\n if (!arg) {\n arg = {};\n }\n\n // if id_token_hint is not provided, we will use the one from the storage\n arg.id_token_hint = arg.id_token_hint || getIdToken();\n arg.post_logout_redirect_uri =\n arg.post_logout_redirect_uri || window.location.href;\n\n const res = await client.createSignoutRequest(arg);\n const { url } = res;\n window.localStorage.removeItem(stateUserKey);\n if (!disableNavigation) {\n window.location.replace(url);\n }\n return res;\n };\n\n // Refresh the access token using the refresh token\n const refreshToken = async (refreshToken: string) => {\n const { client, stateUserKey } = await getCachedClient();\n\n const user = getUserFromStorage(stateUserKey);\n if (!user) {\n throw new Error('User not found in storage to refresh token');\n }\n\n let refresh_token = refreshToken;\n if (!refresh_token) {\n // if refresh token is not provided, we will use the one from the hooks\n const config = {} as RequestConfig;\n sdk.httpClient.hooks.beforeRequest(config);\n refresh_token = config.token;\n }\n const res = await client.useRefreshToken({\n state: {\n refresh_token,\n session_state: user.session_state,\n profile: user.profile,\n },\n });\n\n // In order to make sure all the after-hooks are running with the success response\n // we are generating a fake response with the success data and calling the http client after hook fn with it\n await sdk.httpClient.hooks?.afterRequest(\n {} as any,\n new Response(JSON.stringify(res)),\n );\n\n return res;\n };\n\n return {\n login,\n finishLogin,\n finishLoginIfNeed,\n refreshToken,\n logout,\n };\n};\n\nexport default createOidc;\nexport type { OidcConfig };\n","import { compose } from './enhancers/helpers';\nimport { withAnalytics } from './enhancers/withAnalytics';\nimport { withAutoRefresh } from './enhancers/withAutoRefresh';\nimport { withFingerprint } from './enhancers/withFingerprint';\nimport { withLastLoggedInUser } from './enhancers/withLastLoggedInUser';\nimport { withNotifications } from './enhancers/withNotifications';\nimport withPersistTokens from './enhancers/withPersistTokens';\nimport createSdk from './sdk';\n\nconst decoratedCreateSdk = compose(\n withFingerprint,\n withAutoRefresh,\n withAnalytics,\n withNotifications,\n withLastLoggedInUser, // must be one before last due to TS types\n withPersistTokens, // must be last due to TS known limitation https://github.com/microsoft/TypeScript/issues/30727\n)(createSdk);\n\nexport type { UserResponse, OidcConfig } from './types';\n\n// Note: make sure to update ./test/umd.test.ts when adding new constants\nexport {\n REFRESH_TOKEN_KEY,\n SESSION_TOKEN_KEY,\n} from './enhancers/withPersistTokens/constants';\n\nexport {\n ensureFingerprintIds,\n clearFingerprintData,\n} from './enhancers/withFingerprint/helpers';\n\nexport { hasOidcParamsInUrl } from './sdk/oidc/helpers';\n\nexport type { OneTapConfig } from './sdk/fedcm';\nexport type { CookieConfig } from './enhancers/withPersistTokens/types';\nexport default decoratedCreateSdk;\n","type Fn = (arg: any) => any;\n\nexport function compose<Input, A1>(\n fn1: (input: Input) => A1,\n): (input: Input) => A1;\n\nexport function compose<Input, A1, A2>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n): (input: Input) => A2;\n\nexport function compose<Input, A1, A2, A3>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n): (input: Input) => A3;\n\nexport function compose<Input, A1, A2, A3, A4>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n): (input: Input) => A4;\n\nexport function compose<Input, A1, A2, A3, A4, A5>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n): (input: Input) => A5;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n): (input: Input) => A6;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n): (input: Input) => A7;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n): (input: Input) => A8;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8, A9>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n fn9: (input: A8) => A9,\n): (input: Input) => A9;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8, A9, A10>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n fn9: (input: A8) => A9,\n fn10: (input: A9) => A10,\n): (input: Input) => A10;\n\n/**\n * Currently there is no way to create a compose function in Typescript without using overloading\n * This function currently support up to 10 wrappers\n * If needed you can add more by duplicating the type and add more parameters\n */\n\nexport function compose(...args: Fn[]) {\n return (data: any) => args.reduce((acc, elem) => elem(acc), data) as any;\n}\n","import { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport { addHooks, getAuthInfoFromResponse } from '../helpers';\nimport {\n createTimerFunctions,\n getTokenExpiration,\n getAutoRefreshTimeout,\n} from './helpers';\nimport { AutoRefreshOptions } from './types';\nimport logger from '../helpers/logger';\nimport { IS_BROWSER, REFRESH_THRESHOLD } from '../../constants';\nimport { getRefreshToken } from '../withPersistTokens/helpers';\n\n/**\n * Automatically refresh the session token before it expires\n * It uses the the refresh token that is extracted from API response to do that\n */\nexport const withAutoRefresh =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({ autoRefresh, ...config }: Parameters<T>[0] & AutoRefreshOptions) => {\n if (!autoRefresh) return createSdk(config);\n\n // if we hold a single timer id, there might be a case where we override it before canceling the timer, this might cause many calls to refresh\n // in order to prevent it, we hold a list of timers and cancel all of them when a new timer is set, which means we should have one active timer only at a time\n const { clearAllTimers, setTimer } = createTimerFunctions();\n\n // we need to hold the expiration time and the refresh token in order to refresh the session\n // when the user comes back to the tab or from background/lock screen/etc.\n let sessionExpirationDate: Date;\n let refreshToken: string;\n if (IS_BROWSER) {\n document.addEventListener('visibilitychange', () => {\n // tab becomes visible and the session is expired, do a refresh\n if (\n document.visibilityState === 'visible' &&\n sessionExpirationDate &&\n new Date() > sessionExpirationDate\n ) {\n logger.debug('Expiration time passed, refreshing session');\n // We prefer the persisted refresh token over the one from the response\n // for a case that the token was refreshed from another tab, this mostly relevant\n // when the project uses token rotation\n sdk.refresh(getRefreshToken() || refreshToken);\n }\n });\n }\n\n const afterRequest: AfterRequestHook = async (_req, res) => {\n const { sessionJwt, refreshJwt, sessionExpiration } =\n await getAuthInfoFromResponse(res);\n\n // if we got 401 we want to cancel all timers\n if (res?.status === 401) {\n logger.debug('Received 401, canceling all timers');\n clearAllTimers();\n } else if (sessionJwt || sessionExpiration) {\n sessionExpirationDate = getTokenExpiration(\n sessionJwt,\n sessionExpiration,\n );\n if (!sessionExpirationDate) {\n logger.debug('Could not extract expiration time from session token');\n return;\n }\n refreshToken = refreshJwt;\n const timeout = getAutoRefreshTimeout(sessionExpirationDate);\n clearAllTimers();\n\n if (timeout <= REFRESH_THRESHOLD) {\n /*\n When receiving a session with very short expiration - it means that the refresh token is also close to expiration\n This happens because session expiration cannot be more than the refresh expiration\n In this case - the user is going to be logged out soon, so we don't want to set a refresh timer\n */\n logger.debug(\n 'Session is too close to expiration, not setting refresh timer',\n );\n return;\n }\n\n const refreshTimeStr = new Date(\n Date.now() + timeout,\n ).toLocaleTimeString('en-US', { hour12: false });\n logger.debug(\n `Setting refresh timer for ${refreshTimeStr}. (${timeout}ms)`,\n );\n\n setTimer(() => {\n logger.debug('Refreshing session due to timer');\n // We prefer the persisted refresh token over the one from the response\n // for a case that the token was refreshed from another tab, this mostly relevant\n // when the project uses token rotation\n sdk.refresh(getRefreshToken() || refreshJwt);\n }, timeout);\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n const wrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n logger.debug('Clearing all timers');\n clearAllTimers();\n\n return resp;\n };\n\n return wrapWith(sdk, ['logout', 'logoutAll', 'oidc.logout'], wrapper);\n };\n","import { CreateWebSdk } from '../sdk';\nimport { BeforeRequestHook } from '../types';\nimport { addHooks } from './helpers';\n\n// this is replaced in build time\ndeclare const BUILD_VERSION: string;\n/**\n * Adds analytics headers to requests\n */\nexport const withAnalytics =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0]) =>\n createSdk({\n ...config,\n baseHeaders: {\n 'x-descope-sdk-name': 'web-js',\n 'x-descope-sdk-version': BUILD_VERSION,\n ...config.baseHeaders,\n },\n });\n","import createCoreSdk, { SdkResponse } from '@descope/core-js-sdk';\nimport createWebAuthn from './webauthn';\nimport createFedCM from './fedcm';\nimport withFlow from './flow';\nimport {\n getSessionToken,\n getRefreshToken,\n} from '../enhancers/withPersistTokens/helpers';\nimport createOidc from './oidc';\nimport { CoreSdk, WebSdkConfig } from '../types';\n\nconst OIDC_LOGOUT_ERROR_CODE = 'J161000';\nconst OIDC_REFRESH_ERROR_CODE = 'J161001';\n\nconst createSdk = (config: WebSdkConfig) => {\n const coreSdk = createCoreSdk(config);\n\n const oidc = createOidc(coreSdk, config.projectId, config.oidcConfig);\n\n return {\n ...coreSdk,\n refresh: async (token?: string): ReturnType<CoreSdk['refresh']> => {\n if (config.oidcConfig) {\n try {\n const res = await oidc.refreshToken(token);\n return Promise.resolve({ ok: true });\n } catch (error) {\n return Promise.resolve({\n ok: false,\n error: {\n errorCode: OIDC_REFRESH_ERROR_CODE,\n errorDescription: error.toString(),\n },\n });\n }\n }\n // Descope use this query param to monitor if refresh is made\n // When the user is already logged in in the past or not (We want to optimize that in the future)\n const currentSessionToken = getSessionToken();\n const currentRefreshToken = getRefreshToken();\n return coreSdk.refresh(token, {\n dcs: currentSessionToken ? 't' : 'f',\n dcr: currentRefreshToken ? 't' : 'f',\n });\n },\n // Call the logout function according to the oidcConfig\n // And return the response in the same format\n logout: async (token?: string): Promise<SdkResponse<never>> => {\n if (config.oidcConfig) {\n // logout is made with id_token_hint\n try {\n await oidc.logout({ id_token_hint: token });\n return Promise.resolve({ ok: true });\n } catch (error) {\n return Promise.resolve({\n ok: false,\n error: {\n errorCode: OIDC_LOGOUT_ERROR_CODE,\n errorDescription: error.toString(),\n },\n });\n }\n }\n return coreSdk.logout(token);\n },\n flow: withFlow(coreSdk),\n webauthn: createWebAuthn(coreSdk),\n fedcm: createFedCM(coreSdk, config.projectId),\n oidc,\n };\n};\n\nexport default createSdk;\n\nexport type CreateWebSdk = typeof createSdk;\nexport type WebSdk = ReturnType<CreateWebSdk>;\n"],"names":["getExpirationFromToken","token","jwtDecode","exp","e","oidcRefreshTokenExpiration","response","refresh_expire_in","refresh_token","Math","floor","Date","now","oidcAccessTokenExpiration","expires_in","expires_at","access_token","addHooks","config","hooks","reduce","acc","key","concat","_a","getAuthInfoFromResponse","async","res","ok","body","clone","json","id_token","rest","__rest","Object","assign","sessionJwt","idToken","refreshJwt","sessionExpiration","cookieExpiration","normalizeWebJWTResponseToJWTResponse","authInfo","getUserFromResponse","user","hasOwnProperty","undefined","isLocalStorage","localStorage","setLocalStorage","value","setItem","getLocalStorage","getItem","removeLocalStorage","removeItem","logger","args","console","debug","OIDC_CLIENT_TS_VERSION","IS_BROWSER","window","MAX_TIMEOUT","pow","OIDC_CLIENT_TS_DESCOPE_CDN_URL","OIDC_CLIENT_TS_JSDELIVR_CDN_URL","getAutoRefreshTimeout","timeout","date","getTime","SESSION_TOKEN_KEY","REFRESH_TOKEN_KEY","ID_TOKEN_KEY","setJwtTokenCookie","name","cookieDomain","cookiePath","cookieSameSite","cookieSecure","expires","domainMatches","currentDomainParts","location","hostname","split","cookieDomainParts","slice","length","join","isCurrentDomainOrParentDomain","Cookies","set","path","domain","sameSite","secure","getRefreshToken","prefix","getSessionToken","get","getIdToken","clearTokens","remove","FP_EP_URL","VISITOR_SESSION_ID_PARAM","VISITOR_REQUEST_ID_PARAM","FP_STORAGE_KEY","getFPFromStorage","returnExpired","itemStr","item","JSON","parse","expiry","ensureFingerprintIds","fpKey","baseUrl","sessionId","toString","random","substring","endpointUrl","URL","pathname","patterUrl","scriptUrlPattern","agentP","load","apiKey","endpoint","defaultEndpoint","defaultScriptUrlPattern","agent","requestId","linkedId","fpData","createFingerprintObject","stringify","setFPToStorage","ex","warn","clearFingerprintData","beforeRequest","data","LOCAL_STORAGE_LAST_USER_LOGIN_ID","LOCAL_STORAGE_LAST_USER_DISPLAY_NAME","getLastUserLoginId","getLastUserDisplayName","startWrapper","fn","options","loginId","displayName","lastAuth","logoutWrapper","keepOnLogout","resp","createPubSub","cbs","pub","forEach","cb","sub","idx","push","splice","wrapper","create","createOptions","publicKey","challenge","decodeBase64Url","id","excludeCredentials","decodeCreateOptions","createResponse","navigator","credentials","credential","rawId","encodeBase64Url","type","attestationObject","clientDataJSON","getOptions","decodeGetOptions","encodeGetResponse","conditional","abort","signal","mediation","isSupported","requirePlatformAuthenticator","Promise","resolve","supported","PublicKeyCredential","isUserVerifyingPlatformAuthenticatorAvailable","allowCredentials","authenticatorData","signature","userHandle","base64","replace","Uint8Array","from","atob","c","charCodeAt","buffer","btoa","String","fromCharCode","apply","creator","createWebAuthn$1","sdk","signUp","identifier","passkeyOptions","startResponse","webauthn","start","origin","finish","transactionId","signIn","getResponse","signUpOrIn","update","helpers","obj","apiPaths","createFedCM","projectId","oneTap","provider","oneTapConfig","loginOptions","onSkip","onDismissed","readyProvider","oauth","startNative","clientId","stateId","nonce","googleClient","reject","google","accounts","googleScript","document","getElementById","createElement","head","appendChild","defer","src","onload","onerror","getGoogleClient","initialize","itp_support","use_fedcm_for_prompt","_b","client_id","callback","finishNative","prompt","notification","isDismissedMoment","reason","getDismissedReason","isSkippedMoment","getSkippedReason","launch","context","req","identity","providers","configURL","httpClient","buildUrl","refresh","isLoggedIn","withFlow","coreSdk","flow","webAuthnSupport","decoratedOptions","href","deviceInfo","startOptionsVersion","hasOidcParamsInUrl","search","includes","scriptLoadingPromise","loadScriptWithFallback","urls","getEntry","Error","entry","url","shift","scriptEle","input","hash","i","abs","simpleHash","addEventListener","setAttribute","getOidcClient","oidcConfig","import","loadOIDCModule","OidcClient","WebStorageStateStore","redirectUri","scope","stateUserKey","authority","applicationId","settings","redirect_uri","response_type","stateStore","store","loadUserInfo","fetchRequestCredentials","client","createOidc","getCachedClient","finishLogin","processSigninResponse","signInRes","afterRequest","Response","session_state","profile","currentUrl","searchParams","delete","history","replaceState","title","removeOidcParamFromUrl","login","arg","disableNavigation","createSigninRequest","finishLoginIfNeed","refreshToken","getUserFromStorage","useRefreshToken","state","logout","id_token_hint","post_logout_redirect_uri","createSignoutRequest","decoratedCreateSdk","elem","compose","createSdk","fpLoad","catch","autoRefresh","clearAllTimers","setTimer","timerIds","clearTimeout","pop","setTimeout","createTimerFunctions","sessionExpirationDate","visibilityState","_req","status","claims","getTokenExpiration","refreshTimeStr","toLocaleTimeString","hour12","wrapWith","baseHeaders","sessionExpirationPS","sessionPS","userPS","userDetails","wrappedSdk","onSessionTokenChange","onUserChange","onIsAuthenticatedChange","storeLastAuthenticatedUser","keepLastAuthenticatedUserAfterLogout","loginIds","setLastUserLoginId","setLastUserDisplayName","persistTokens","isPersistTokens","sessionTokenViaCookie","storagePrefix","isManagementApi","test","createCoreSdk","oidc","error","errorCode","errorDescription","currentSessionToken","currentRefreshToken","dcs","dcr","createWebAuthn","fedcm"],"mappings":"4PAIA,MAAMA,EAA0BC,IAC9B,IAEE,OADeC,EAAsBD,GACvBE,GACf,CAAC,MAAOC,GACP,OAAO,IACR,GAGGC,EAA8BC,IAClC,MAAMC,kBAAEA,EAAiBC,cAAEA,GAAkBF,EAC7C,OAAIC,EACKE,KAAKC,MAAMC,KAAKC,MAAQ,KAAQL,EAElCP,EAAuBQ,EAAc,EAGxCK,EAA6BP,IAKjC,MAAMQ,WAAEA,EAAUC,WAAEA,EAAUC,aAAEA,GAAiBV,EACjD,OAAIS,IAGAD,EAEKL,KAAKC,MAAMC,KAAKC,MAAQ,KAAQE,EAErCE,EAEKhB,EAAuBgB,QAFhC,EAIgB,EAwBLC,EAAW,CACtBC,EACAC,WAaA,MAXA,CAAC,gBAAiB,gBAAgBC,QAChC,CAACC,EAAKC,WAKJ,OAJAD,EAAIC,GAAO,GACRC,QAAmB,QAAZC,EAAAN,EAAOC,aAAK,IAAAK,OAAA,EAAAA,EAAGF,KAAQ,IAC9BC,QAAOJ,aAAK,EAALA,EAAQG,KAAQ,IAEnBD,CAAG,GAEC,QAAbG,EAACN,EAAOC,aAAK,IAAAK,EAAAA,EAAZN,EAAOC,MAAU,CAAA,GAGbD,CAAM,EAUFO,EAA0BC,MACrCC,IAEA,KAAKA,aAAA,EAAAA,EAAKC,IAAI,MAAO,GACrB,MAAMC,QAAaF,aAAA,EAAAA,EAAKG,QAAQC,QAEhC,MApD2C,CAC3CzB,IAEA,MAAMU,aAAEA,EAAYgB,SAAEA,EAAQxB,cAAEA,EAAaD,kBAAEA,GAC7CD,EADmE2B,EAAIC,EACvE5B,EADI,CAAA,eAAA,WAAA,gBAAA,sBAEN,OAAA6B,OAAAC,OAAA,CACEC,WAAY/B,EAAS+B,YAAcrB,EACnCsB,QAASN,EACTO,WAAYjC,EAASiC,YAAc/B,EACnCgC,kBACElC,EAASkC,mBAAqB3B,EAA0BP,GAC1DmC,iBACEnC,EAASmC,kBACRpC,EAA2BC,IAC3B2B,EACH,EAqCKS,EADUb,aAAI,EAAJA,EAAMc,WAAYd,GAAS,CAAA,EACS,EAQ1Ce,EAAsBlB,MACjCC,IAEA,MAAMgB,QAAiBlB,EAAwBE,GAE/C,OACEgB,aAAA,EAAAA,EAAUE,SACTF,aAAQ,EAARA,EAAUG,eAAe,WACrBH,OACDI,EACJ,EAGSC,EAAyC,oBAAjBC,aAExBC,EAAkB,CAAC5B,EAAa6B,IAC3CH,IAAkB,OAAAC,mBAAA,IAAAA,kBAAA,EAAAA,aAAcG,QAAQ9B,EAAK6B,IAClCE,EAAmB/B,GAC9B0B,IAAkB,OAAAC,uBAAAA,oBAAAA,aAAcK,QAAQhC,IAC7BiC,EAAsBjC,GACjC0B,IAAkB,OAAAC,uBAAAA,oBAAAA,aAAcO,WAAWlC,ICzHvCmC,EACG,IAAIC,KAETC,QAAQC,SAASF,EAAK,ECHpBG,EAAyB,QAGlBC,EAA+B,oBAAXC,OAIpBC,EAAcvD,KAAKwD,IAAI,EAAG,IAAM,EAKhCC,EAAiC,6CAA6CL,uCAC9EM,EAAkC,+CAA+CN,uCCoCjFO,EAAyB5B,IACpC,IAAI6B,IApBgCC,EAoBA9B,GAnB7B8B,EAAKC,WAAY,IAAI5D,MAAO4D,UAAY,GDrBhB,ICoBI,IAACD,EA6BpC,OAPID,EAAUL,IACZP,EACE,yBAAyBY,uBAA6BL,OAExDK,EAAUL,GAGLK,CAAO,EC1DHG,EAAoB,KAEpBC,EAAoB,MAEpBC,EAAe,MCiB5B,SAASC,EACPC,EACAzB,EACAR,GAIA,GAAIQ,EAAO,CACT,MAAM0B,aACJA,EAAYC,WACZA,EAAUC,eACVA,EAActC,iBACdA,EAAgBuC,aAChBA,GACErC,EACEsC,EAAU,IAAItE,KAAwB,IAAnB8B,GAEnByC,EAoBV,SAAuCL,GACrC,MACMM,EADgBpB,OAAOqB,SAASC,SACGC,MAAM,KACzCC,EAAoBV,EAAaS,MAAM,KAM7C,OAH4BH,EACzBK,OAAOD,EAAkBE,QACzBC,KAAK,OACuBb,CACjC,CA9B0Bc,CAA8Bd,GACpDe,EAAQC,IAAIjB,EAAMzB,EAAO,CACvB2C,KAAMhB,EACNiB,OAAQb,EAAgBL,OAAe9B,EACvCkC,UACAe,SAAUjB,EACVkB,OAAQjB,GAEX,CACH,CAyDgB,SAAAkB,EAAgBC,EAAiB,IAC/C,OAAO9C,EAAgB,GAAG8C,IAAS1B,MAAwB,EAC7D,CAMgB,SAAA2B,EAAgBD,EAAiB,IAC/C,OACEP,EAAQS,IAAI7B,IACZnB,EAAgB,GAAG8C,IAAS3B,MAC5B,EAEJ,CAEgB,SAAA8B,EAAWH,EAAiB,IAC1C,OAAO9C,EAAgB,GAAG8C,IAASzB,MAAmB,EACxD,CAGgB,SAAA6B,EAAYJ,EAAiB,IAC3C5C,EAAmB,GAAG4C,IAAS1B,KAC/BlB,EAAmB,GAAG4C,IAAS3B,KAC/BjB,EAAmB,GAAG4C,IAASzB,KAC/BkB,EAAQY,OAAOhC,EACjB,CAEO,MC/HMiC,EACV3C,IAA0B,OAAZb,mBAAY,IAAZA,kBAAY,EAAZA,aAAcK,QAJE,8BAK/B,0BAMWoD,EAA2B,OAE3BC,EAA2B,OAE3BC,EAAiB,KC+BxBC,EAAmB,CAACC,GAAgB,KACxC,MAAMC,EAAU9D,aAAaK,QAAQsD,GAErC,IAAKG,EACH,OAAO,KAET,MAAMC,EAAOC,KAAKC,MAAMH,GAIxB,OAHY,IAAIpG,MAGR4D,UAAYyC,EAAKG,SAAWL,EAC3B,KAEFE,EAAK7D,KAAK,EASNiE,EAAuB1F,MAClC2F,EACAC,EAAUb,KAEV,IACE,GAAII,IAEF,OAGF,MAAMU,GArDN5G,KAAKC,MAAM4G,SAAS,IACpB/G,KAAKgH,SAASD,SAAS,IAAIE,UAAU,GACrCjH,KAAKgH,SAASD,SAAS,IAAIE,UAAU,IACrCA,UAAU,EAAG,IAoDPC,EAAc,IAAIC,IAAIN,GAC5BK,EAAYE,SD3EmB,qCC6E/B,MAAMC,EAAY,IAAIF,IAAIN,GAC1BQ,EAAUD,SD7EmB,qCC8E7B,MAAME,EACJD,EAAUN,WACV,mEAGIQ,EAASC,EAAK,CAClBC,OAAQb,EACRc,SAAU,CACRR,EAAYH,WACZY,GAEFL,iBAAkB,CAChBA,EACAM,KAIEC,QAAcN,GACdO,UAAEA,SAAoBD,EAAMjC,IAAI,CAAEmC,SAAUjB,IAC5CkB,EA3FsB,EAC9BlB,EACAgB,KACuB,CACvB7B,CAACA,GAA2Ba,EAC5BZ,CAACA,GAA2B4B,IAsFXG,CAAwBnB,EAAWgB,GAtE/B,CAACpF,IACtB,MAGM6D,EAAO,CACX7D,QACAgE,QALU,IAAIxG,MAKF4D,UDvBc,OCyB5BtB,aAAaG,QAAQwD,EAAgBK,KAAK0B,UAAU3B,GAAM,EA+DxD4B,CAAeH,EAChB,CAAC,MAAOI,GAEPlF,QAAQmF,KAAK,6BAA8BD,EAC5C,GAaUE,EAAuB,KAClC9F,aAAaO,WAAWoD,EAAe,ECtHnCoC,EAAoC9H,IACxC,MAAM+H,EDgHCpC,GAAiB,GC3GxB,OAJIoC,GAAQ/H,EAAOW,OACjBX,EAAOW,KAAiB,OAAIoH,GAGvB/H,CAAM,ECbFgI,EAAmC,yBAGnCC,EACX,6BCSWC,EAAqB,IACzB/F,EAAgB6F,GAWZG,EAAyB,IAC7BhG,EAAgB8F,GCiCnBG,EACHC,GACD7H,SAAUgC,WACRA,EAAK,GAAKA,EAAK,IAAM,CAAA,EACrB,OAAS8F,EAAU,IAAM9F,EAGnB+F,EAAUL,IACVM,EAAcL,IAEhBI,IACc,QAAhBjI,EAAAgI,EAAQG,gBAAQ,IAAAnI,IAAhBgI,EAAQG,SAAa,CAAE,GACvBH,EAAQG,SAASF,QAAUA,EAC3BD,EAAQG,SAAS/E,KAAO8E,GAK1B,aAFmBH,KAAM7F,EAEd,EAGTkG,EACHC,GACAN,GACD7H,SAAUgC,KACR,MAAMoG,QAAaP,KAAM7F,GACzB,OAAImG,IDnECtG,EAAmB2F,GAYnB3F,EAAmB4F,ICwDfW,CAME,WC5FCC,IACd,MAAMC,EAAM,GAWZ,MAAO,CAAEC,IAJIhB,IACXe,EAAIE,SAASC,GAAOA,EAAGlB,IAAM,EAGjBmB,IATDD,IACX,MAAME,EAAML,EAAIM,KAAKH,GAAM,EAC3B,MAAO,IAAMH,EAAIO,OAAOF,EAAK,EAAE,EAQnC,CCEO,MCiEDG,EACHrE,GACAoD,GACD7H,SAAUgC,KACR,MAAMoG,QAAaP,KAAM7F,GAIzB,OAFA6C,EAAYJ,GAEL2D,CAAI,EC0CfpI,eAAe+I,EAAOjB,GACpB,MAAMkB,EAgER,SAA6BvH,SAC3B,MAAMqG,EAAUvC,KAAKC,MAAM/D,GAM3B,OALAqG,EAAQmB,UAAUC,UAAYC,GAAgBrB,EAAQmB,UAAUC,WAChEpB,EAAQmB,UAAU9H,KAAKiI,GAAKD,GAAgBrB,EAAQmB,UAAU9H,KAAKiI,IAC7B,QAAtCtJ,EAAAgI,EAAQmB,UAAUI,0BAAoB,IAAAvJ,GAAAA,EAAA0I,SAASlD,IAC7CA,EAAK8D,GAAKD,GAAgB7D,EAAK8D,GAAG,IAE7BtB,CACT,CAxEwBwB,CAAoBxB,GACpCyB,QAAwBC,UAAUC,YAAYV,OAClDC,GAEF,OAuEAU,EAvE4BH,EAyErBhE,KAAK0B,UAAU,CACpBmC,GAAIM,EAAWN,GACfO,MAAOC,GAAgBF,EAAWC,OAClCE,KAAMH,EAAWG,KACjBjL,SAAU,CACRkL,kBAAmBF,GAAgBF,EAAW9K,SAASkL,mBACvDC,eAAgBH,GAAgBF,EAAW9K,SAASmL,mBAT1D,IACEL,CAtEF,CAEA1J,eAAe2E,EAAImD,GACjB,MAAMkC,EAAaC,EAAiBnC,GAIpC,OAAOoC,SAHoBV,UAAUC,YAAY9E,IAC/CqF,GAGJ,CASAhK,eAAemK,EACbrC,EACAsC,GAEA,MAAMJ,EAAaC,EAAiBnC,GACpCkC,EAAWK,OAASD,EAAMC,OAC1BL,EAAWM,UAAY,cAIvB,OAAOJ,SAHoBV,UAAUC,YAAY9E,IAC/CqF,GAGJ,CAGOhK,eAAeuK,EACpBC,GAAwC,GAExC,IAAKpI,EACH,OAAOqI,QAAQC,SAAQ,GAEzB,MAAMC,KACJtI,OAAOuI,qBACPpB,UAAUC,aACVD,UAAUC,YAAYV,QACtBS,UAAUC,YAAY9E,KAExB,OACEgG,GACAH,GACAI,oBAAoBC,8CAEbD,oBAAoBC,gDAEtBF,CACT,CAsCA,SAASV,EAAiBxI,SACxB,MAAMqG,EAAUvC,KAAKC,MAAM/D,GAK3B,OAJAqG,EAAQmB,UAAUC,UAAYC,GAAgBrB,EAAQmB,UAAUC,WAC5B,QAApCpJ,EAAAgI,EAAQmB,UAAU6B,wBAAkB,IAAAhL,GAAAA,EAAA0I,SAASlD,IAC3CA,EAAK8D,GAAKD,GAAgB7D,EAAK8D,GAAG,IAE7BtB,CACT,CAEA,SAASoC,GAAkBR,GACzB,OAAOnE,KAAK0B,UAAU,CACpBmC,GAAIM,EAAWN,GACfO,MAAOC,GAAgBF,EAAWC,OAClCE,KAAMH,EAAWG,KACjBjL,SAAU,CACRmM,kBAAmBnB,GAAgBF,EAAW9K,SAASmM,mBACvDhB,eAAgBH,GAAgBF,EAAW9K,SAASmL,gBACpDiB,UAAWpB,GAAgBF,EAAW9K,SAASoM,WAC/CC,WAAYvB,EAAW9K,SAASqM,WAC5BrB,GAAgBF,EAAW9K,SAASqM,iBACpC5J,IAGV,CAIA,SAAS8H,GAAgB1H,GACvB,MAAMyJ,EAASzJ,EAAM0J,QAAQ,KAAM,KAAKA,QAAQ,KAAM,KACtD,OAAOC,WAAWC,KAAKC,KAAKJ,IAAUK,GAAMA,EAAEC,WAAW,KAAIC,MAC/D,CAEA,SAAS7B,GAAgBnI,GAEvB,OADeiK,KAAKC,OAAOC,aAAaC,MAAM,KAAM,IAAIT,WAAW3J,KACrD0J,QAAQ,MAAO,KAAKA,QAAQ,MAAO,KAAKA,QAAQ,KAAM,GACtE,CAGA,IAhQIW,GAgQWC,IAhQXD,GAkBoBE,IAAkB,CACxC,YAAMC,CACJC,EACAhJ,EACAiJ,GAEA,MAAMC,QAAsBJ,EAAIK,SAASJ,OAAOK,MAC9CJ,EACA7J,OAAOqB,SAAS6I,OAChBrJ,EACAiJ,GAEF,IAAKC,EAAclM,GACjB,OAAOkM,EAET,MAAM7C,QAAuBR,EAAOqD,EAAc7E,KAAKO,SAKvD,aAJ6BkE,EAAIK,SAASJ,OAAOO,OAC/CJ,EAAc7E,KAAKkF,cACnBlD,EAGH,EAED,YAAMmD,CAAOR,EAAoBC,GAC/B,MAAMC,QAAsBJ,EAAIK,SAASK,OAAOJ,MAC9CJ,EACA7J,OAAOqB,SAAS6I,YAChBlL,OACAA,EACA8K,GAEF,IAAKC,EAAclM,GACjB,OAAOkM,EAET,MAAMO,QAAoBhI,EAAIyH,EAAc7E,KAAKO,SAKjD,aAJ6BkE,EAAIK,SAASK,OAAOF,OAC/CJ,EAAc7E,KAAKkF,cACnBE,EAGH,EAED,gBAAMC,CAAWV,EAAoBC,SACnC,MAAMC,QAAsBJ,EAAIK,SAASO,WAAWN,MAClDJ,EACA7J,OAAOqB,SAAS6I,OAChBJ,GAEF,IAAKC,EAAclM,GACjB,OAAOkM,EAET,GAAwB,UAApBA,EAAc7E,YAAM,IAAAzH,OAAA,EAAAA,EAAAiJ,OAAQ,CAC9B,MAAMQ,QAAuBR,EAAOqD,EAAc7E,KAAKO,SAKvD,aAJ6BkE,EAAIK,SAASJ,OAAOO,OAC/CJ,EAAc7E,KAAKkF,cACnBlD,EAGH,CAAM,CACL,MAAMoD,QAAoBhI,EAAIyH,EAAc7E,KAAKO,SAKjD,aAJ6BkE,EAAIK,SAASK,OAAOF,OAC/CJ,EAAc7E,KAAKkF,cACnBE,EAGH,CACF,EAED,YAAME,CACJX,EACA3N,EACA4N,GAEA,MAAMC,QAAsBJ,EAAIK,SAASQ,OAAOP,MAC9CJ,EACA7J,OAAOqB,SAAS6I,OAChBhO,EACA4N,GAEF,IAAKC,EAAclM,GACjB,OAAOkM,EAET,MAAM7C,QAAuBR,EAAOqD,EAAc7E,KAAKO,SAKvD,aAJ6BkE,EAAIK,SAASQ,OAAOL,OAC/CJ,EAAc7E,KAAKkF,cACnBlD,EAGH,EAGDuD,QAAS,CAEP/D,SAEApE,MAGA4F,cACAJ,iBAnHF,IAAInI,KACF,MAAM+K,EAAMjB,MAAW9J,GAOvB,OALAvB,OAAOC,OAAOqM,EAAId,OAAQjK,EAAK,GAAGqK,SAASJ,QAC3CxL,OAAOC,OAAOqM,EAAIL,OAAQ1K,EAAK,GAAGqK,SAASK,QAC3CjM,OAAOC,OAAOqM,EAAIH,WAAY5K,EAAK,GAAGqK,SAASO,YAC/CnM,OAAOC,OAAOqM,EAAIF,OAAQ7K,EAAK,GAAGqK,SAASQ,QAEpCE,CAIN,GCtBE,MAAMC,GACJ,CACLxN,OAAQ,iBC8GNyN,GAAc,CAACjB,EAAckB,KAAuB,CACxD,YAAMC,CACJC,EACAC,EACAC,EACAC,EACAC,GAEA,MAAMC,EAAgBL,QAAAA,EAAY,SAC5BhB,QAAsBJ,EAAI0B,MAAMC,YACpCF,EACAH,GACA,GAEF,IAAKlB,EAAclM,GACjB,OAAOkM,EAGT,MAAMwB,SAAEA,EAAQC,QAAEA,EAAOC,MAAEA,GAAU1B,EAAc7E,KAC7CwG,QA2FV/N,iBAIE,OAAO,IAAIyK,SAAQ,CAACC,EAASsD,KAC3B,GAAK3L,OAAe4L,OAElB,YADAvD,EAASrI,OAAe4L,OAAOC,SAAS9E,IAK1C,IAAI+E,EAAeC,SAASC,eAC1B,4BAIGF,IACHA,EAAeC,SAASE,cAAc,UACtCF,SAASG,KAAKC,YAAYL,GAC1BA,EAAanO,OAAQ,EACrBmO,EAAaM,OAAQ,EACrBN,EAAa/E,GAAK,2BAClB+E,EAAaO,IAAM,0CAIrBP,EAAaQ,OAAS,WACftM,OAAe4L,OAClBvD,EAASrI,OAAe4L,OAAOC,SAAS9E,IAExC4E,EAAO,gEAEX,EAEAG,EAAaS,QAAU,WACrBZ,EAAO,2DACT,CAAC,GAEL,CAjI+Ba,GAC3B,OAAO,IAAIpE,SAASC,YAclBqD,EAAae,WACRrO,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAA2M,IACH0B,YAA0C,QAA7BjP,EAAAuN,aAAY,EAAZA,EAAc0B,mBAAe,IAAAjP,GAAAA,EAC1CkP,qBAAwD,QAAlCC,EAAA5B,eAAAA,EAAc2B,4BAAoB,IAAAC,GAAAA,EACxDC,UAAWtB,EACXuB,SAlBgBlP,IAChByK,EACEsB,EAAI0B,MAAM0B,aACR3B,EACAI,EACA,GACA,GACA5N,EAAIyJ,YAEP,EAUDoE,WAGFC,EAAasB,QAAQC,YACnB,GAAI9B,IAAe8B,aAAY,EAAZA,EAAcC,qBAAjC,CACE,MAAMC,UAAS1P,EAAAwP,EAAaG,iDAC5BjC,SAAAA,EAAcgC,EAEf,MAGD,GAAIjC,IAAU+B,aAAY,EAAZA,EAAcI,mBAA5B,CACE,MAAMF,UAASP,EAAAK,EAAaK,+CAC5BpC,SAAAA,EAASiC,EAEV,SACD,GAEL,EACD,YAAMI,CACJC,SAEA,MAGMC,EAAqC,CACzCC,SAAU,CACRF,QAASA,GAAW,SACpBG,UAAW,CACT,CACEC,UARUjE,EAAIkE,WAAWC,SAC/BjD,EAAYF,GAAexN,QAQrBoO,SAAUV,MAKZjN,QAAiC,UAArBuJ,UAAUC,mBAAW,IAAA3J,OAAA,EAAAA,EAAE6E,IAAImL,IAC7C,OAAO9D,EAAIoE,QAASnQ,EAAsC1B,MAC3D,EACDgM,YAAW,IACFnI,GAAc,uBAAwBC,OAE/C,gBAAMgO,CACJR,SAEA,MAAMI,EAAYjE,EAAIkE,WAAWC,SAC/BjD,EAAYF,GAAexN,QAE7B,IACE,MAAMsQ,EAAqC,CACzCC,SAAU,CACRF,QAASA,GAAW,SACpBG,UAAW,CACT,CACEC,YACArC,SAAUV,MAKZjN,QAAiC,UAArBuJ,UAAUC,mBAAW,IAAA3J,OAAA,EAAAA,EAAE6E,IAAImL,IAC7C,QAAS7P,KAAUA,EAAsC1B,KAC1D,CAAC,MAAOG,GAEP,OAAO,CACR,CACF,IC5LH,IAAA4R,GAAgBC,GACX9P,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAA6P,EAAQC,MAAI,CAEflE,MAAOtM,SAAUgC,KACf,MAAMyO,QAAwBlG,IACxBmG,EACJjQ,OAAAC,OAAAD,OAAAC,OAAA,CAAAgD,SAAUrB,OAAOqB,SAASiN,MACvB3O,EAAK,IAAE,CACV4O,WAAY,CACVH,mBAEFI,oBAbkD,IAkBpD,OAFA7O,EAAK,GAAK0O,EAEHH,EAAQC,KAAKlE,SAAStK,EAAK,IC9C/B,MAAM8O,GAAqB,IAE9BzO,OAAOqB,SAASqN,OAAOC,SAAS,SAChC3O,OAAOqB,SAASqN,OAAOC,SAAS,SCwBpC,IAAIC,GAEJ,MAYMC,GAAyB,CAC7BC,EACAC,IAEO,IAAI3G,SAAQ,CAACC,EAASsD,KAC3B,IAAKmD,EAAKpN,OACR,OAAOiK,EAAO,IAAIqD,MAAM,+CAE1B,MAAMC,EAAQF,IACd,GAAIE,EAAO,OAAO5G,EAAQ4G,GAE1B,MAAMC,EAAMJ,EAAKK,QAEXC,EAAYrD,SAASE,cAAc,UACzCmD,EAAU/C,IAAM6C,EAChBE,EAAUrI,GA3BK,CAACsI,IAClB,IAAIC,EAAO,EAEX,IAAK,IAAIC,EAAI,EAAGA,EAAIF,EAAM3N,OAAQ6N,IAEhCD,GAAQA,GAAQ,GAAKA,EADRD,EAAMlG,WAAWoG,GAE9BD,GAAOA,EAGT,OAAO5S,KAAK8S,IAAIF,GAAM7L,SAAS,GAAG,EAkBjBgM,CAAWP,GAC1BE,EAAU9C,OAAS,KACjB,MAAM2C,EAAQF,IACd,GAAIE,EAAO,OAAO5G,EAAQ4G,GAC1B,MAAM,IAAID,MAAM,oDAAoD,EAEtEI,EAAUM,iBAAiB,SAAS,KAClCb,GAAuBC,EAAMC,GAC7BK,EAAUO,aAAa,aAAc,OAAO,IAE9C5D,SAASjO,KAAKqO,YAAYiD,EAAU,IAyBxC,MAOMQ,GAAgBjS,MACpBgM,EACAkB,EACAgF,KAEKjB,KACHA,GAlCmBjR,WACrB,IACE,OAAOmS,OAAO,iBACf,CAAC,MAAOzT,GACP,OAAOwS,GACL,CAAC1O,EAAgCC,IACjC,IAAMJ,OAAa,MAEtB,GA0BwB+P,IAEzB,MAAMC,WAAEA,EAAUC,qBAAEA,SAA+BrB,GAEnD,IAAKoB,EACH,MAAM,IAAIhB,MACR,8FAIJ,MAAMzD,EAAWV,EACXqF,GAAcL,aAAA,EAAAA,EAAYK,cAAelQ,OAAOqB,SAASiN,KACzD6B,GACJN,aAAU,EAAVA,EAAYM,QACZ,0DACIC,EAAe,GAAG7E,SAExB,IAAI8E,EAAY1G,EAAIkE,WAAWC,SAASjD,IACpCgF,aAAU,EAAVA,EAAYS,iBAEdD,EAAY,GAAGA,KAAaR,EAAWS,iBAGzC,MAAMC,EAA+B,CACnCF,YACAxD,UAAWhC,EACX2F,aAAcN,EACdO,cAAe,OACfN,QACAO,WAAY,IAAIT,EAAqB,CACnCU,MAAO3Q,OAAOd,aACdkD,OAAQmJ,IAEVqF,cAAc,EACdC,wBAAyB,eAS3B,OANIhB,aAAU,EAAVA,EAAYK,eACdK,EAASC,aAAeX,EAAWK,cAEjCL,aAAU,EAAVA,EAAYM,SACdI,EAASJ,MAAQN,EAAWM,OAEvB,CACLW,OAAQ,IAAId,EAAWO,GACvBH,eACD,EAGGW,GAAa,CACjBpH,EACAkB,EACAgF,KAEA,MAAMmB,EAAkBrT,UAItB,IAAImT,EAAQV,EAQZ,OAPKU,GAAWV,KACXU,SAAQV,sBAAuBR,GAChCjG,EACAkB,EACAgF,IAGG,CAAEiB,SAAQV,eAAc,EAoB3Ba,EAActT,MAAOuR,EAAc,YACvC,MAAM4B,OAAEA,EAAMV,aAAEA,SAAuBY,IACjCpT,QAAYkT,EAAOI,sBAAsBhC,GAAOlP,OAAOqB,SAASiN,MA/G1E,IACE6C,EA8HE,aAZ0B,QAApB1T,EAAAkM,EAAIkE,WAAWzQ,aAAK,IAAAK,OAAA,EAAAA,EAAE2T,aAC1B,CAAS,EACT,IAAIC,SAASnO,KAAK0B,UAAUhH,MAG9BoC,OAAOd,aAAaG,QAClB+Q,EACAlN,KAAK0B,UAvHF,CACL3G,UAHFkT,EAyH0CvT,GAtHpBK,SACpBqT,cAAeH,EAAUG,cACzBC,QAASJ,EAAUI,WDhFe,MAEpC,MAAMC,EAAa,IAAI3N,IAAI7D,OAAOqB,SAASiN,MAG3CkD,EAAWC,aAAaC,OAAO,QAC/BF,EAAWC,aAAaC,OAAO,SAG/B1R,OAAO2R,QAAQC,aAAa,CAAE,EAAE7F,SAAS8F,MAAOL,EAAW/N,WAAW,EC8LpEqO,GAEOlU,CAAG,EAwEZ,MAAO,CACLmU,MA1GYpU,MACZqU,EAA+B,CAAA,EAC/BC,GAA6B,KAE7B,MAAMnB,OAAEA,SAAiBE,IACnBpT,QAAYkT,EAAOoB,oBAAoBF,IACvC9C,IAAEA,GAAQtR,EAIhB,OAHKqU,IACHjS,OAAOqB,SAASiN,KAAOY,GAElB,CAAErR,IAAI,EAAMqH,KAAMtH,EAAK,EAiG9BqT,cACAkB,kBApEwBxU,MAAOuR,EAAc,MAC7C,GAAIT,KACF,aAAawC,EAAY/B,EAC1B,EAkEDkD,aArCmBzU,MAAOyU,UAC1B,MAAMtB,OAAEA,EAAMV,aAAEA,SAAuBY,IAEjClS,EA/JiB,CACzBsR,IAEA,MAAMtR,EAAOkB,OAAOd,aAAaK,QAAQ6Q,GACzC,OAAOtR,EAAOoE,KAAKC,MAAMrE,GAAQ,IAAI,EA2JtBuT,CAAmBjC,GAChC,IAAKtR,EACH,MAAM,IAAIkQ,MAAM,8CAGlB,IAAIvS,EAAgB2V,EACpB,IAAK3V,EAAe,CAElB,MAAMU,EAAS,CAAA,EACfwM,EAAIkE,WAAWzQ,MAAM6H,cAAc9H,GACnCV,EAAgBU,EAAOjB,KACxB,CACD,MAAM0B,QAAYkT,EAAOwB,gBAAgB,CACvCC,MAAO,CACL9V,gBACA6U,cAAexS,EAAKwS,cACpBC,QAASzS,EAAKyS,WAWlB,aAL0B,QAApB9T,EAAAkM,EAAIkE,WAAWzQ,aAAK,IAAAK,OAAA,EAAAA,EAAE2T,aAC1B,CAAS,EACT,IAAIC,SAASnO,KAAK0B,UAAUhH,MAGvBA,CAAG,EAQV4U,OA9Da7U,MACbqU,EACAC,GAA6B,KAE7B,MAAMnB,OAAEA,EAAMV,aAAEA,SAAuBY,IAClCgB,IACHA,EAAM,CAAA,GAIRA,EAAIS,cAAgBT,EAAIS,eAAiBlQ,IACzCyP,EAAIU,yBACFV,EAAIU,0BAA4B1S,OAAOqB,SAASiN,KAElD,MAAM1Q,QAAYkT,EAAO6B,qBAAqBX,IACxC9C,IAAEA,GAAQtR,EAKhB,OAJAoC,OAAOd,aAAaO,WAAW2Q,GAC1B6B,GACHjS,OAAOqB,SAASyH,QAAQoG,GAEnBtR,CAAG,EA2CX,ECrRGgV,GCoFU,YAAWjT,GACzB,OAAQuF,GAAcvF,EAAKtC,QAAO,CAACC,EAAKuV,IAASA,EAAKvV,IAAM4H,EAC9D,CDtF2B4N,EbYAC,GACxBtV,QAAA6F,MAAEA,EAAK0P,OAAEA,GAAMvV,EAAKN,EAAMgB,EAAAV,EAA1B,oBACC,OAAKsC,GAMDuD,GAAS0P,GACX3P,EAAqBC,GAAO2P,OAE1B,IAAM,OAKHF,EAAU7V,EAASC,EAAQ,CAAE8H,oBAZ3B8N,EAAU5V,EAYkC,IelB9B4V,GACxBtV,IAAA,IAAAyV,YAAEA,GAA+DzV,EAA/CN,EAAMgB,EAAAV,EAAxB,iBACC,IAAKyV,EAAa,OAAOH,EAAU5V,GAInC,MAAMgW,eAAEA,EAAcC,SAAEA,GpBQQ,MAClC,MAAMC,EAA6B,GAYnC,MAAO,CAAEF,eAVc,KACrB,KAAOE,EAAS3R,QACd4R,aAAaD,EAASE,MACvB,EAOsBH,SAJR,CAAChN,EAAgB9F,KAChC+S,EAAS9M,KAAKiN,WAAWpN,EAAI9F,GAAS,EAGL,EoBrBImT,GAIrC,IAAIC,EACAtB,EACArS,GACFgM,SAAS2D,iBAAiB,oBAAoB,KAGb,YAA7B3D,SAAS4H,iBACTD,GACA,IAAI9W,KAAS8W,IAEbhU,EAAa,8CAIbiK,EAAIoE,QAAQ5L,KAAqBiQ,GAClC,IAIL,MAkDMzI,EAAMoJ,EAAU7V,EAASC,EAAQ,CAAEiU,aAlDFzT,MAAOiW,EAAMhW,KAClD,MAAMU,WAAEA,EAAUE,WAAEA,EAAUC,kBAAEA,SACxBf,EAAwBE,GAGhC,GAAoB,OAAhBA,aAAG,EAAHA,EAAKiW,QACPnU,EAAa,sCACbyT,SACK,GAAI7U,GAAcG,EAAmB,CAK1C,GAJAiV,EpBhD0B,EAChCxX,EACAuC,KAEA,GAAIA,EACF,OAAO,IAAI7B,KAAyB,IAApB6B,GAGlBiB,EACE,oFAEF,IACE,MAAMoU,EAAS3X,EAAsBD,GACrC,GAAI4X,EAAO1X,IACT,OAAO,IAAIQ,KAAkB,IAAbkX,EAAO1X,IAE1B,CAAC,MAAOC,GACP,OAAO,IACR,GoB8B6B0X,CACtBzV,EACAG,IAEGiV,EAEH,YADAhU,EAAa,wDAGf0S,EAAe5T,EACf,MAAM8B,EAAUD,EAAsBqT,GAGtC,GAFAP,IAEI7S,GrB3DqB,IqBoEvB,YAHAZ,EACE,iEAKJ,MAAMsU,EAAiB,IAAIpX,KACzBA,KAAKC,MAAQyD,GACb2T,mBAAmB,QAAS,CAAEC,QAAQ,IACxCxU,EACE,6BAA6BsU,OAAoB1T,QAGnD8S,GAAS,KACP1T,EAAa,mCAIbiK,EAAIoE,QAAQ5L,KAAqB3D,EAAW,GAC3C8B,EACJ,MAeH,OAAO6T,EAASxK,EAAK,CAAC,SAAU,YAAa,gBAT1CnE,GACD7H,SAAUgC,KACR,MAAMoG,QAAaP,KAAM7F,GAIzB,OAHAD,EAAa,uBACbyT,IAEOpN,CAAI,GAGsD,ICpG9CgN,GACxB5V,GACC4V,EAAS3U,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EACJlB,GAAM,CACTiX,YAAWhW,OAAAC,OAAA,CACT,qBAAsB,SACtB,wBAAyB,UACtBlB,EAAOiX,kBXASrB,GACxB5V,IACC,MAAMkX,EAAsBrO,IACtBsO,EAAYtO,IACZuO,EAASvO,IAyBT2D,EAAMoJ,EAAU7V,EAASC,EAAQ,CAAEiU,aAvBFzT,MAAOiW,EAAMhW,KAClD,GAAoB,OAAhBA,aAAG,EAAHA,EAAKiW,QACPS,EAAUpO,IAAI,MACdqO,EAAOrO,IAAI,MACXmO,EAAoBnO,IAAI,UACnB,CACL,MAAMsO,QAAoB3V,EAAoBjB,GAC1C4W,GAAaD,EAAOrO,IAAIsO,GAE5B,MAAMlW,WAAEA,EAAUG,kBAAEA,SACZf,EAAwBE,GAE5BU,GAAYgW,EAAUpO,IAAI5H,IAE1BG,GAAqBH,IAIvB+V,EAAoBnO,IAAIzH,GAAqB,GAEhD,MAiBGgW,EAAaN,EACjBxK,EACA,CAAC,SAAU,YAAa,gBAbvBnE,GACD7H,SAAUgC,KACR,MAAMoG,QAAaP,KAAM7F,GAMzB,OAJA2U,EAAUpO,IAAI,MACdqO,EAAOrO,IAAI,MACXmO,EAAoBnO,IAAI,MAEjBH,CAAI,IASf,OAAO3H,OAAOC,OAAOoW,EAAY,CAC/BC,qBAAsBJ,EAAUjO,IAChCsO,aAAcJ,EAAOlO,IACrBuO,wBAA0BxO,GAEjBiO,EAAoBhO,KAAKjK,IAC9BgK,IAAKhK,EAAI,KAGb,IFxDqB2W,GACxBtV,IAAA,IAAAoX,2BACCA,GAA6B,EAAIC,qCACjCA,GAAuC,GAAKrX,EACzCN,EAHJgB,EAAAV,EAAA,CAAA,6BAAA,yCAQC,IAAKoX,EAGH,OAAOzW,OAAOC,OAAO0U,EAAU5V,GAAS,CACtCkI,qBACAC,2BAGJ,MAUMqE,EAAMoJ,EAAU7V,EAASC,EAAQ,CAAEiU,aAVFzT,MAAOiW,EAAMhW,WAClD,MAAM4W,QAAoB3V,EAAoBjB,GACxC8H,EAAkC,QAAxBjI,EAAA+W,aAAA,EAAAA,EAAaO,gBAAW,IAAAtX,OAAA,EAAAA,EAAA,GAClCkI,EAAc6O,aAAA,EAAAA,EAAa3T,KAC7B6E,ID9BwB,CAACA,IAC1BvG,EAAgBgG,EAAkCO,EAAQ,EC8B3DsP,CAAmBtP,GDnBW,CAACC,IAC9BxG,EAAgBiG,EAAsCO,EAAY,ECmBnEsP,CAAuBtP,GACxB,KAKH,IAAI8O,EAAaN,EAASxK,EAAK,CAAC,cAAepE,GAM/C,OALAkP,EAAaN,EACXM,EACA,CAAC,SAAU,aACX5O,EAAciP,IAET1W,OAAOC,OAAOoW,EAAY,CAC/BpP,qBACAC,0BACO,IGrCcyN,GACAtV,IAAA,IACvByX,cAAeC,EAAeC,sBAC9BA,EAAqBC,cACrBA,GAAa5X,EACVN,EAJoBgB,EAAAV,EAAA,CAAA,gBAAA,wBAAA,kBAYvB,IAAK0X,IAAoBpV,EAKvB,OAAOgT,EAAU5V,GAGnB,MAgBMwM,EAAMoJ,EACV7V,EAASC,EAAQ,CACf8H,eT2EL7C,ES3EkCiT,ET4ElClY,GACQiB,OAAOC,OAAOlB,EAAQ,CAC3BjB,MAAOiB,EAAOjB,OAASiG,EAAgBC,MS7ErCgP,aAnBmCzT,MAAO8P,EAAK7P,KACjD,MAAM0X,EAAkB,kBAAkBC,KAAK9H,EAAI1L,MAE/B,OAAhBnE,aAAG,EAAHA,EAAKiW,QACFyB,GACH9S,EAAY6S,GTyBO,EAC3BzW,EAAW,CAA6B,EACxCwW,GAAgD,EAChDC,EAAgB,YAGhB,MAAM/W,WAAEA,EAAUE,WAAEA,GAAeI,EAKnC,GAJAJ,GACEW,EAAgB,GAAGkW,IAAgB3U,IAAqBlC,GAGtDF,EACF,GAAI8W,EAAuB,CAIzB,MAAMpU,EAAiBoU,EAAgC,UAAK,SACtDnU,EAAkD,QAAnCxD,EAAA2X,EAA8B,cAAK,IAAA3X,GAAAA,EACxDmD,EAAkBH,EAAmBnC,EAC/BF,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAAO,IACJoC,iBACAC,iBAEH,MACC9B,EAAgB,GAAGkW,IAAgB5U,IAAqBnC,GAIxDM,EAASL,SACXY,EAAgB,GAAGkW,IAAgB1U,IAAgB/B,EAASL,QAC7D,ESpDK2W,OACQxX,EAAwBE,GAC9BwX,EACAC,EAEH,KTgFL,IAACjT,EStEC,MAAMqS,EAAaN,EACjBxK,EACA,CAAC,SAAU,YAAa,eACxBlD,EAAQ4O,IAOV,OAAOjX,OAAOC,OAAOoW,EAAY,CAC/BtS,gBALmB,IAAMA,EAAgBkT,GAMzChT,gBALmB,IAAMA,EAAgBgT,GAMzC9S,WALc,IAAMA,EAAW8S,IAMxB,GOrEcvC,EIKR3V,IACjB,MAAM+Q,EAAUsH,EAAcrY,GAExBsY,EAAO1E,GAAW7C,EAAS/Q,EAAO0N,UAAW1N,EAAO0S,YAE1D,OACKzR,OAAAC,OAAAD,OAAAC,OAAA,GAAA6P,IACHH,QAASpQ,MAAOzB,IACd,GAAIiB,EAAO0S,WACT,UACoB4F,EAAKrD,aAAalW,GACpC,OAAOkM,QAAQC,QAAQ,CAAExK,IAAI,GAC9B,CAAC,MAAO6X,GACP,OAAOtN,QAAQC,QAAQ,CACrBxK,IAAI,EACJ6X,MAAO,CACLC,UAlBkB,UAmBlBC,iBAAkBF,EAAMjS,aAG7B,CAIH,MAAMoS,EAAsBxT,IACtByT,EAAsB3T,IAC5B,OAAO+L,EAAQH,QAAQ7R,EAAO,CAC5B6Z,IAAKF,EAAsB,IAAM,IACjCG,IAAKF,EAAsB,IAAM,KACjC,EAIJtD,OAAQ7U,MAAOzB,IACb,GAAIiB,EAAO0S,WAET,IAEE,aADM4F,EAAKjD,OAAO,CAAEC,cAAevW,IAC5BkM,QAAQC,QAAQ,CAAExK,IAAI,GAC9B,CAAC,MAAO6X,GACP,OAAOtN,QAAQC,QAAQ,CACrBxK,IAAI,EACJ6X,MAAO,CACLC,UA9CiB,UA+CjBC,iBAAkBF,EAAMjS,aAG7B,CAEH,OAAOyK,EAAQsE,OAAOtW,EAAM,EAE9BiS,KAAMF,GAASC,GACflE,SAAUiM,GAAe/H,GACzBgI,MAAOtL,GAAYsD,EAAS/Q,EAAO0N,WACnC4K,QACA"}
package/dist/index.umd.js ADDED
@@ -0,0 +1,4 @@
1
+ !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).Descope=t()}(this,(function(){"use strict";var e=function(){return e=Object.assign||function(e){for(var t,s=1,i=arguments.length;s<i;s++)for(var r in t=arguments[s])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},e.apply(this,arguments)};function t(e,t){var s={};for(var i in e)Object.prototype.hasOwnProperty.call(e,i)&&t.indexOf(i)<0&&(s[i]=e[i]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var r=0;for(i=Object.getOwnPropertySymbols(e);r<i.length;r++)t.indexOf(i[r])<0&&Object.prototype.propertyIsEnumerable.call(e,i[r])&&(s[i[r]]=e[i[r]])}return s}"function"==typeof SuppressedError&&SuppressedError;class s extends Error{}function i(e){let t=e.replace(/-/g,"+").replace(/_/g,"/");switch(t.length%4){case 0:break;case 2:t+="==";break;case 3:t+="=";break;default:throw new Error("base64 string is not of the correct length")}try{return function(e){return decodeURIComponent(atob(e).replace(/(.)/g,((e,t)=>{let s=t.charCodeAt(0).toString(16).toUpperCase();return s.length<2&&(s="0"+s),"%"+s})))}(t)}catch(e){return atob(t)}}function r(e,t){if("string"!=typeof e)throw new s("Invalid token specified: must be a string");t||(t={});const r=!0===t.header?0:1,n=e.split(".")[r];if("string"!=typeof n)throw new s(`Invalid token specified: missing part #${r+1}`);let o;try{o=i(n)}catch(e){throw new s(`Invalid token specified: invalid base64 for part #${r+1} (${e.message})`)}try{return JSON.parse(o)}catch(e){throw new s(`Invalid token specified: invalid json for part #${r+1} (${e.message})`)}}s.prototype.name="InvalidTokenError";const n=e=>{try{return r(e).exp}catch(e){return null}},o=e=>{const{refresh_expire_in:t,refresh_token:s}=e;return t?Math.floor(Date.now()/1e3)+t:n(s)},a=e=>{const{expires_in:t,expires_at:s,access_token:i}=e;return s||(t?Math.floor(Date.now()/1e3)+t:i?n(i):void 0)},c=(e,t)=>{var s;return["beforeRequest","afterRequest"].reduce(((s,i)=>{var r;return s[i]=[].concat((null===(r=e.hooks)||void 0===r?void 0:r[i])||[]).concat((null==t?void 0:t[i])||[]),s}),null!==(s=e.hooks)&&void 0!==s?s:e.hooks={}),e},l=async e=>{if(!(null==e?void 0:e.ok))return{};const s=await(null==e?void 0:e.clone().json());return(e=>{const{access_token:s,id_token:i,refresh_token:r,refresh_expire_in:n}=e,c=t(e,["access_token","id_token","refresh_token","refresh_expire_in"]);return Object.assign({sessionJwt:e.sessionJwt||s,idToken:i,refreshJwt:e.refreshJwt||r,sessionExpiration:e.sessionExpiration||a(e),cookieExpiration:e.cookieExpiration||o(e)},c)})((null==s?void 0:s.authInfo)||s||{})},d=async e=>{const t=await l(e);return(null==t?void 0:t.user)||((null==t?void 0:t.hasOwnProperty("userId"))?t:void 0)},u="undefined"!=typeof localStorage,h=(e,t)=>u&&(null===localStorage||void 0===localStorage?void 0:localStorage.setItem(e,t)),g=e=>u&&(null===localStorage||void 0===localStorage?void 0:localStorage.getItem(e)),p=e=>u&&(null===localStorage||void 0===localStorage?void 0:localStorage.removeItem(e));var _="/v1/auth/accesskey/exchange",w="/v1/auth/otp/verify",f="/v1/auth/otp/signin",m="/v1/auth/otp/signup",v={email:"/v1/auth/otp/update/email",phone:"/v1/auth/otp/update/phone"},y="/v1/auth/otp/signup-in",S="/v1/auth/magiclink/verify",b="/v1/auth/magiclink/signin",k="/v1/auth/magiclink/signup",I={email:"/v1/auth/magiclink/update/email",phone:"/v1/auth/magiclink/update/phone"},T="/v1/auth/magiclink/signup-in",E="/v1/auth/enchantedlink/verify",O="/v1/auth/enchantedlink/signin",x="/v1/auth/enchantedlink/signup",P="/v1/auth/enchantedlink/pending-session",R={email:"/v1/auth/enchantedlink/update/email"},U="/v1/auth/enchantedlink/signup-in",C="/v1/auth/oauth/authorize",j="/v1/auth/oauth/exchange",q="v1/auth/oauth/native/start",A="v1/auth/oauth/native/finish",N="/v1/auth/saml/authorize",$="/v1/auth/saml/exchange",M="/v1/auth/totp/verify",D="/v1/auth/totp/signup",H="/v1/auth/totp/update",J="/v1/auth/notp/whatsapp/signin",L="/v1/auth/notp/whatsapp/signup",K="/v1/auth/notp/whatsapp/signup-in",W="/v1/auth/notp/pending-session",F={start:"/v1/auth/webauthn/signup/start",finish:"/v1/auth/webauthn/signup/finish"},z={start:"/v1/auth/webauthn/signin/start",finish:"/v1/auth/webauthn/signin/finish"},B={start:"/v1/auth/webauthn/signup-in/start"},V={start:"v1/auth/webauthn/update/start",finish:"/v1/auth/webauthn/update/finish"},Q="/v1/auth/password/signup",G="/v1/auth/password/signin",Z="/v1/auth/password/reset",Y="/v1/auth/password/update",X="/v1/auth/password/replace",ee="/v1/auth/password/policy",te="/v1/auth/refresh",se="/v1/auth/tenant/select",ie="/v1/auth/logout",re="/v1/auth/logoutall",ne="/v1/auth/me",oe="/v1/auth/me/tenants",ae="/v1/auth/me/history",ce="/v1/flow/start",le="/v1/flow/next";const de="<region>",ue=`https://api.${de}descope.com`,he=6e5,ge="dct",pe=()=>{const e={};return{headers(t){const s="function"==typeof t.entries?Object.fromEntries(t.entries()):t;return e.Headers=JSON.stringify(s),this},body(t){return e.Body=t,this},url(t){return e.Url=t.toString(),this},method(t){return e.Method=t,this},title(t){return e.Title=t,this},status(t){return e.Status=t,this},build:()=>Object.keys(e).flatMap((t=>e[t]?[`${"Title"!==t?`${t}: `:""}${e[t]}`]:[])).join("\n")}};let _e;const we=()=>{if(_e)return _e;const e=new Date,t=`${e.getUTCFullYear().toString()}-${(e.getUTCMonth()+1).toString().padStart(2,"0")}-${e.getUTCDate().toString().padStart(2,"0")}-${e.getUTCHours().toString().padStart(2,"0")}:${e.getUTCMinutes().toString().padStart(2,"0")}:${e.getUTCSeconds().toString().padStart(2,"0")}:${e.getUTCMilliseconds().toString()}`,s=Math.floor(1e3+9e3*Math.random());return _e=`${t}-${s}`,_e};var fe,me;(me=fe||(fe={})).get="GET",me.delete="DELETE",me.post="POST",me.put="PUT",me.patch="PATCH";const ve=({path:e,baseUrl:t,queryParams:s,projectId:i})=>{const r=i.slice(1,-27);t=t.replace(de,r?r+".":"");let n=e?`${t.replace(/\/$/,"")}/${null==e?void 0:e.replace(/^\//,"")}`:t;if(s){const e=Object.keys(s);e.forEach(((t,i)=>{n=`${n}${0===i?"?":""}${t}=${encodeURIComponent(s[t])}${i===e.length-1?"":"&"}`}))}return n},ye=(...e)=>new Headers(e.reduce(((e,t)=>{const s=(e=>Array.isArray(e)?e:e instanceof Headers?Array.from(e.entries()):e?Object.entries(e):[])(t);return s.reduce(((t,[s,i])=>(e[s]=i,e)),e),e}),{})),Se={"Content-Type":"application/json"},be=(e,t="")=>{let s=e;return t&&(s=s+":"+t),{Authorization:`Bearer ${s}`}},ke=e=>{const t={"x-descope-sdk-session-id":we(),"x-descope-sdk-name":"core-js","x-descope-sdk-version":"2.38.0"};return e&&(t["x-descope-refresh-cookie-name"]=e),t},Ie=e=>{try{e=JSON.parse(e)}catch(e){return!1}return"object"==typeof e&&null!==e},Te=({baseUrl:e,projectId:t,baseConfig:s,refreshCookieName:i,logger:r,hooks:n,cookiePolicy:o,fetch:a})=>{const c=((e,t)=>{const s=(e=>async(...t)=>{const s=await e(...t),i=await s.text();return s.text=()=>Promise.resolve(i),s.json=()=>Promise.resolve(JSON.parse(i)),s.clone=()=>s,s})(t||fetch);return s||null==e||e.warn("Fetch is not defined, you will not be able to send http requests, if you are running in a test, make sure fetch is defined globally"),e?async(...t)=>{if(!s)throw Error("Cannot send http request, fetch is not defined, if you are running in a test, make sure fetch is defined globally");e.log((e=>pe().title("Request").url(e[0]).method(e[1].method).headers(e[1].headers).body(e[1].body).build())(t));const i=await s(...t);return e[i.ok?"log":"error"](await(async e=>{const t=await e.text();return pe().title("Response").url(e.url.toString()).status(`${e.status} ${e.statusText}`).headers(e.headers).body(t).build()})(i)),i}:s})(r,a),l=async r=>{var a;const l=(null==n?void 0:n.beforeRequest)?n.beforeRequest(r):r,{path:d,body:u,headers:h,queryParams:g,method:p,token:_}=l,w=(e=>void 0===e?void 0:JSON.stringify(e))(u),f={headers:ye(be(t,_),ke(i),(null==s?void 0:s.baseHeaders)||{},Ie(w)?Se:{},h),method:p,body:w};null!==o&&(f.credentials=o||"include");const m=await c(ve({path:d,baseUrl:e,queryParams:g,projectId:t}),f);if((null==n?void 0:n.afterRequest)&&await n.afterRequest(r,null==m?void 0:m.clone()),null==n?void 0:n.transformResponse){const e=await m.json(),t=((null===(a=m.headers)||void 0===a?void 0:a.get("set-cookie"))||"").split(";").reduce(((e,t)=>{const[s,i]=t.split("=");return Object.assign(Object.assign({},e),{[s.trim()]:i})}),{}),s=Object.assign(Object.assign({},m),{json:()=>Promise.resolve(e),cookies:t});return s.clone=()=>s,n.transformResponse(s)}return m};return{get:(e,{headers:t,queryParams:s,token:i}={})=>l({path:e,headers:t,queryParams:s,body:void 0,method:fe.get,token:i}),post:(e,t,{headers:s,queryParams:i,token:r}={})=>l({path:e,headers:s,queryParams:i,body:t,method:fe.post,token:r}),patch:(e,t,{headers:s,queryParams:i,token:r}={})=>l({path:e,headers:s,queryParams:i,body:t,method:fe.patch,token:r}),put:(e,t,{headers:s,queryParams:i,token:r}={})=>l({path:e,headers:s,queryParams:i,body:t,method:fe.put,token:r}),delete:(e,{headers:t,queryParams:s,token:i}={})=>l({path:e,headers:t,queryParams:s,body:void 0,method:fe.delete,token:i}),hooks:n,buildUrl:(s,i)=>ve({projectId:t,baseUrl:e,path:s,queryParams:i})}};var Ee=429;function Oe(e,t,s){var i;let r=xe(e);if(t){if(!(null==r?void 0:r.tenants)&&(null==r?void 0:r[ge])===t)return(null==r?void 0:r[s])||[];r=null===(i=null==r?void 0:r.tenants)||void 0===i?void 0:i[t]}const n=null==r?void 0:r[s];return Array.isArray(n)?n:[]}function xe(e){if("string"!=typeof e||!e)throw new Error("Invalid token provided");return r(e)}function Pe(e){const{exp:t}=xe(e);return(new Date).getTime()/1e3>t}function Re(e){let t=xe(e);const s=Object.keys(null==t?void 0:t.tenants);return Array.isArray(s)?s:[]}function Ue(e,t){return Oe(e,t,"permissions")}function Ce(e,t){return Oe(e,t,"roles")}const je=(...e)=>e.join("/").replace(/\/{2,}/g,"/");async function qe(e,t){var s;const i=await e,r={code:i.status,ok:i.ok,response:i},n=await i.clone().json();return i.ok?r.data=n:(r.error=n,i.status===Ee&&Object.assign(r.error,{retryAfter:Number.parseInt(null===(s=i.headers)||void 0===s?void 0:s.get("retry-after"))||0})),r}function Ae(e){var t;return(null===(t=xe(e))||void 0===t?void 0:t[ge])||""}const Ne=(e,t)=>(s=t)=>t=>!e(t)&&s.replace("{val}",t),$e=(e,t)=>(s=t)=>t=>{const i=e.filter((e=>e(t)));return!(i.length<e.length)&&(s?s.replace("{val}",t):i.join(" OR "))},Me=(...e)=>({validate:t=>(e.forEach((e=>{const s=e(t);if(s)throw new Error(s)})),!0)}),De=e=>t=>e.test(t),He=De(/^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/),Je=De(/^\+[1-9]{1}[0-9]{3,14}$/),Le=Ne(He,'"{val}" is not a valid email'),Ke=Ne(Je,'"{val}" is not a valid phone number'),We=Ne((e=>e.length>=1),"Minimum length is 1");const Fe=Ne((e=>"string"==typeof e),"Input is not a string"),ze=Ne((e=>Array.isArray(e)),"Input is not an array"),Be=Ne((e=>"boolean"==typeof e),"Input is not a boolean"),Ve=Ne((e=>void 0===e),"Input is defined"),Qe=$e([Fe(),Ve()],"Input is not a string or undefined"),Ge=$e([ze(),Be()],"Input is not an array or boolean"),Ze=(...e)=>t=>(...s)=>(e.forEach(((e,t)=>Me(...e).validate(s[t]))),t(...s)),Ye=e=>[Fe(`"${e}" must be a string`)],Xe=e=>[Fe(`"${e}" must be a string`),We(`"${e}" must not be empty`)],et=e=>[Fe(`"${e}" must be a string`),Le()],tt=e=>[Fe(`"${e}" must be a string`),Ke()],st=Ze(Xe("accessKey")),it=e=>({exchange:st(((t,s)=>qe(e.post(_,{loginOptions:s},{token:t}))))}),rt=(e,t,s)=>(t.forEach((t=>{const i=t.split(".");let r=i.shift(),n=e;for(;i.length>0;){if(n=n[r],!r||!n)throw Error(`Invalid path "${t}", "${r}" is missing or has no value`);r=i.shift()}if("function"!=typeof n[r])throw Error(`"${t}" is not a function`);const o=n[r];n[r]=s(o)})),e),nt=({pollingIntervalMs:e=1e3,timeoutMs:t=6e5}={})=>({pollingIntervalMs:Math.max(e||1e3,1e3),timeoutMs:Math.min(t||he,he)});var ot,at;!function(e){e.sms="sms",e.voice="voice",e.whatsapp="whatsapp"}(ot||(ot={})),function(e){e.email="email"}(at||(at={}));const ct=Object.assign(Object.assign({},ot),at);var lt;!function(e){e.waiting="waiting",e.running="running",e.completed="completed",e.failed="failed"}(lt||(lt={}));const dt=Xe("loginId"),ut=Ze(Xe("token")),ht=Ze(dt),gt=Ze(Xe("pendingRef")),pt=Ze(dt,et("email")),_t=e=>({verify:ut((t=>qe(e.post(E,{token:t})))),signIn:ht(((t,s,i,r)=>qe(e.post(je(O,ct.email),{loginId:t,URI:s,loginOptions:i},{token:r})))),signUpOrIn:ht(((t,s,i)=>qe(e.post(je(U,ct.email),{loginId:t,URI:s,loginOptions:i})))),signUp:ht(((t,s,i,r)=>qe(e.post(je(x,ct.email),{loginId:t,URI:s,user:i,loginOptions:r})))),waitForSession:gt(((t,s)=>new Promise((i=>{const{pollingIntervalMs:r,timeoutMs:n}=nt(s);let o;const a=setInterval((async()=>{const s=await e.post(P,{pendingRef:t});s.ok&&(clearInterval(a),o&&clearTimeout(o),i(qe(Promise.resolve(s))))}),r);o=setTimeout((()=>{i({error:{errorDescription:`Session polling timeout exceeded: ${n}ms`,errorCode:"0"},ok:!1}),clearInterval(a)}),n)})))),update:{email:pt(((t,s,i,r,n)=>qe(e.post(R.email,Object.assign({loginId:t,email:s,URI:i},n),{token:r}))))}}),wt=Ze(Xe("flowId")),ft=Ze(Xe("executionId"),Xe("stepId"),Xe("interactionId")),mt=e=>({start:wt(((t,s,i,r,n,o,a)=>qe(e.post(ce,{flowId:t,options:s,conditionInteractionId:i,interactionId:r,componentsVersion:n,flowVersions:o,input:a})))),next:ft(((t,s,i,r,n,o)=>qe(e.post(le,{executionId:t,stepId:s,interactionId:i,version:r,componentsVersion:n,input:o}))))}),vt=Xe("loginId"),yt=Ze(Xe("token")),St=Ze(vt),bt=Ze(vt,tt("phone")),kt=Ze(vt,et("email")),It=Object.keys(ct).filter((e=>e!==ot.voice)),Tt=e=>({verify:yt((t=>qe(e.post(S,{token:t})))),signIn:It.reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:St(((t,i,r,n)=>qe(e.post(je(b,s),{loginId:t,URI:i,loginOptions:r},{token:n}))))})),{}),signUp:It.reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:St(((t,i,r,n)=>qe(e.post(je(k,s),{loginId:t,URI:i,user:r,loginOptions:n}))))})),{}),signUpOrIn:It.reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:St(((t,i,r)=>qe(e.post(je(T,s),{loginId:t,URI:i,loginOptions:r}))))})),{}),update:{email:kt(((t,s,i,r,n)=>qe(e.post(I.email,Object.assign({loginId:t,email:s,URI:i},n),{token:r})))),phone:Object.keys(ot).filter((e=>e!==ot.voice)).reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:bt(((t,i,r,n,o)=>qe(e.post(je(I.phone,s),Object.assign({loginId:t,phone:i,URI:r},o),{token:n}))))})),{})}});var Et;!function(e){e.facebook="facebook",e.github="github",e.google="google",e.microsoft="microsoft",e.gitlab="gitlab",e.apple="apple",e.discord="discord",e.linkedin="linkedin",e.slack="slack"}(Et||(Et={}));const Ot=Ze(Xe("code")),xt=e=>({start:Object.assign(((t,s,i,r)=>qe(e.post(C,i||{},{queryParams:Object.assign({provider:t},s&&{redirectURL:s}),token:r}))),Object.keys(Et).reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:(t,i,r)=>qe(e.post(C,i||{},{queryParams:Object.assign({provider:s},t&&{redirectURL:t}),token:r}))})),{})),exchange:Ot((t=>qe(e.post(j,{code:t})))),startNative:(t,s,i)=>qe(e.post(q,{provider:t,loginOptions:s,implicit:i})),finishNative:(t,s,i,r,n)=>qe(e.post(A,{provider:t,stateId:s,user:i,code:r,idToken:n}))}),Pt=Xe("loginId"),Rt=Ze(Pt,Xe("code")),Ut=Ze(Pt),Ct=Ze(Pt,tt("phone")),jt=Ze(Pt,et("email")),qt=e=>({verify:Object.keys(ct).reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:Rt(((t,i)=>qe(e.post(je(w,s),{code:i,loginId:t}))))})),{}),signIn:Object.keys(ct).reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:Ut(((t,i,r)=>qe(e.post(je(f,s),{loginId:t,loginOptions:i},{token:r}))))})),{}),signUp:Object.keys(ct).reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:Ut(((t,i,r)=>qe(e.post(je(m,s),{loginId:t,user:i,loginOptions:r}))))})),{}),signUpOrIn:Object.keys(ct).reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:Ut(((t,i)=>qe(e.post(je(y,s),{loginId:t,loginOptions:i}))))})),{}),update:{email:jt(((t,s,i,r)=>qe(e.post(v.email,Object.assign({loginId:t,email:s},r),{token:i})))),phone:Object.keys(ot).reduce(((t,s)=>Object.assign(Object.assign({},t),{[s]:Ct(((t,i,r,n)=>qe(e.post(je(v.phone,s),Object.assign({loginId:t,phone:i},n),{token:r}))))})),{})}}),At=Ze(Xe("tenant")),Nt=Ze(Xe("code")),$t=e=>({start:At(((t,s,i,r,n)=>qe(e.post(N,i||{},Object.assign({queryParams:Object.assign(Object.assign({tenant:t},s&&{redirectURL:s}),n&&{ssoId:n})},r&&{token:r}))))),exchange:Nt((t=>qe(e.post($,{code:t}))))}),Mt=Xe("loginId"),Dt=Ze(Mt,Xe("code")),Ht=Ze(Mt),Jt=Ze(Mt),Lt=e=>({signUp:Ht(((t,s)=>qe(e.post(D,{loginId:t,user:s})))),verify:Dt(((t,s,i,r)=>qe(e.post(M,{loginId:t,code:s,loginOptions:i},{token:r})))),update:Jt(((t,s)=>qe(e.post(H,{loginId:t},{token:s}))))}),Kt=Xe("loginId"),Wt=Xe("newPassword"),Ft=Ze(Kt,Xe("password")),zt=Ze(Kt),Bt=Ze(Kt,Wt),Vt=Ze(Kt,Xe("oldPassword"),Wt),Qt=e=>({signUp:Ft(((t,s,i,r)=>qe(e.post(Q,{loginId:t,password:s,user:i,loginOptions:r})))),signIn:Ft(((t,s,i)=>qe(e.post(G,{loginId:t,password:s,loginOptions:i})))),sendReset:zt(((t,s,i)=>qe(e.post(Z,{loginId:t,redirectUrl:s,templateOptions:i})))),update:Bt(((t,s,i)=>qe(e.post(Y,{loginId:t,newPassword:s},{token:i})))),replace:Vt(((t,s,i)=>qe(e.post(X,{loginId:t,oldPassword:s,newPassword:i})))),policy:()=>qe(e.get(ee))}),Gt=Ye("loginId"),Zt=Xe("loginId"),Yt=Xe("origin"),Xt=Ze(Zt,Yt,Xe("name")),es=Ze(Zt,Yt),ts=Ze(Gt,Yt),ss=Ze(Zt,Yt,Xe("token")),is=Ze(Xe("transactionId"),Xe("response")),rs=e=>({signUp:{start:Xt(((t,s,i,r)=>qe(e.post(F.start,{user:{loginId:t,name:i},origin:s,passkeyOptions:r})))),finish:is(((t,s)=>qe(e.post(F.finish,{transactionId:t,response:s}))))},signIn:{start:ts(((t,s,i,r,n)=>qe(e.post(z.start,{loginId:t,origin:s,loginOptions:i,passkeyOptions:n},{token:r})))),finish:is(((t,s)=>qe(e.post(z.finish,{transactionId:t,response:s}))))},signUpOrIn:{start:es(((t,s,i)=>qe(e.post(B.start,{loginId:t,origin:s,passkeyOptions:i}))))},update:{start:ss(((t,s,i,r)=>qe(e.post(V.start,{loginId:t,origin:s,passkeyOptions:r},{token:i})))),finish:is(((t,s)=>qe(e.post(V.finish,{transactionId:t,response:s}))))}}),ns=Ye("loginId"),os=Ze(ns),as=Ze(Xe("pendingRef")),cs=e=>({signUpOrIn:os(((t,s)=>qe(e.post(K,{loginId:t,loginOptions:s})))),signUp:os(((t,s,i)=>qe(e.post(L,{loginId:t,user:s,loginOptions:i})))),signIn:os(((t,s,i)=>qe(e.post(J,{loginId:t,loginOptions:s},{token:i})))),waitForSession:as(((t,s)=>new Promise((i=>{const{pollingIntervalMs:r,timeoutMs:n}=nt(s);let o;const a=setInterval((async()=>{const s=await e.post(W,{pendingRef:t});s.ok&&(clearInterval(a),o&&clearTimeout(o),i(qe(Promise.resolve(s))))}),r);o=setTimeout((()=>{i({error:{errorDescription:`Session polling timeout exceeded: ${n}ms`,errorCode:"0"},ok:!1}),clearInterval(a)}),n)}))))}),ls=Ze(Xe("token")),ds=Ze([Qe('"token" must be string or undefined')]);var us,hs=Ze([(us=Xe("projectId"),Ne(((e,t)=>s=>Me(...t).validate(((e,t)=>{const s=(Array.isArray(t)?t.join("."):String(t)).replace(/\[\\?("|')?(\w|d)+\\?("|')?\]/g,((e,t,s)=>"."+s)).split("."),i=s.length;let r=0,n=e===Object(e)?e:void 0;for(;null!=n&&r<i;)n=n[s[r++]];return r&&r===i&&void 0!==n?n:void 0})(s,e)))("projectId",us))())])((e=>{var t;return(({projectId:e,logger:t,baseUrl:s,hooks:i,cookiePolicy:r,baseHeaders:n={},refreshCookieName:o,fetch:a})=>{return c=Te({baseUrl:s||ue,projectId:e,logger:t,hooks:i,cookiePolicy:r,baseConfig:{baseHeaders:n},refreshCookieName:o,fetch:a}),{accessKey:it(c),otp:qt(c),magicLink:Tt(c),enchantedLink:_t(c),oauth:xt(c),saml:$t(c),totp:Lt(c),notp:cs(c),webauthn:rs(c),password:Qt(c),flow:mt(c),refresh:ds(((e,t)=>qe(c.post(te,{},{token:e,queryParams:t})))),selectTenant:Ze([Fe("tenantId")],[Qe('"token" must be string or undefined')])(((e,t)=>qe(c.post(se,{tenant:e},{token:t})))),logout:ds((e=>qe(c.post(ie,{},{token:e})))),logoutAll:ds((e=>qe(c.post(re,{},{token:e})))),me:ds((e=>qe(c.get(ne,{token:e})))),myTenants:Ze([Ge('"tenants" must a string array or a boolean')],[Qe('"token" must be string or undefined')])(((e,t)=>{const s={};return"boolean"==typeof e?s.dct=e:s.ids=e,qe(c.post(oe,s,{token:t}))})),history:ds((e=>qe(c.get(ae,{token:e})))),isJwtExpired:ls(Pe),getTenants:ls(Re),getJwtPermissions:ls(Ue),getJwtRoles:ls(Ce),getCurrentTenant:ls(Ae),httpClient:c};var c})(Object.assign(Object.assign({},e),{hooks:{beforeRequest:t=>{var s;const i=[].concat((null===(s=e.hooks)||void 0===s?void 0:s.beforeRequest)||[]);return null==i?void 0:i.reduce(((e,t)=>t(e)),t)},afterRequest:async(t,s)=>{var i;const r=[].concat((null===(i=e.hooks)||void 0===i?void 0:i.afterRequest)||[]);0!=r.length&&(await Promise.allSettled(null==r?void 0:r.map((e=>e(t,null==s?void 0:s.clone()))))).forEach((t=>{var s;return"rejected"===t.status&&(null===(s=e.logger)||void 0===s?void 0:s.error(t.reason))}))},transformResponse:null===(t=e.hooks)||void 0===t?void 0:t.transformResponse}}))})),gs=Object.assign(hs,{DeliveryMethods:ct});const ps=(...e)=>{console.debug(...e)},_s="3.2.0",ws="undefined"!=typeof window,fs=Math.pow(2,31)-1,ms=`https://descopecdn.com/npm/oidc-client-ts@${_s}/dist/browser/oidc-client-ts.min.js`,vs=`https://cdn.jsdelivr.net/npm/oidc-client-ts@${_s}/dist/browser/oidc-client-ts.min.js`,ys=e=>{let t=((s=e)?s.getTime()-(new Date).getTime():0)-2e4;var s;return t>fs&&(ps(`Timeout is too large (${t}ms), setting it to ${fs}ms`),t=fs),t};
2
+ /*! js-cookie v3.0.5 | MIT */
3
+ function Ss(e){for(var t=1;t<arguments.length;t++){var s=arguments[t];for(var i in s)e[i]=s[i]}return e}var bs=function e(t,s){function i(e,i,r){if("undefined"!=typeof document){"number"==typeof(r=Ss({},s,r)).expires&&(r.expires=new Date(Date.now()+864e5*r.expires)),r.expires&&(r.expires=r.expires.toUTCString()),e=encodeURIComponent(e).replace(/%(2[346B]|5E|60|7C)/g,decodeURIComponent).replace(/[()]/g,escape);var n="";for(var o in r)r[o]&&(n+="; "+o,!0!==r[o]&&(n+="="+r[o].split(";")[0]));return document.cookie=e+"="+t.write(i,e)+n}}return Object.create({set:i,get:function(e){if("undefined"!=typeof document&&(!arguments.length||e)){for(var s=document.cookie?document.cookie.split("; "):[],i={},r=0;r<s.length;r++){var n=s[r].split("="),o=n.slice(1).join("=");try{var a=decodeURIComponent(n[0]);if(i[a]=t.read(o,a),e===a)break}catch(e){}}return e?i[e]:i}},remove:function(e,t){i(e,"",Ss({},t,{expires:-1}))},withAttributes:function(t){return e(this.converter,Ss({},this.attributes,t))},withConverter:function(t){return e(Ss({},this.converter,t),this.attributes)}},{attributes:{value:Object.freeze(s)},converter:{value:Object.freeze(t)}})}({read:function(e){return'"'===e[0]&&(e=e.slice(1,-1)),e.replace(/(%[\dA-F]{2})+/gi,decodeURIComponent)},write:function(e){return encodeURIComponent(e).replace(/%(2[346BF]|3[AC-F]|40|5[BDE]|60|7[BCD])/g,decodeURIComponent)}},{path:"/"});const ks="DS",Is="DSR",Ts="DSI";function Es(e,t,s){if(t){const{cookieDomain:i,cookiePath:r,cookieSameSite:n,cookieExpiration:o,cookieSecure:a}=s,c=new Date(1e3*o),l=function(e){const t=window.location.hostname.split("."),s=e.split(".");return t.slice(-s.length).join(".")===e}(i);bs.set(e,t,{path:r,domain:l?i:void 0,expires:c,sameSite:n,secure:a})}}function Os(e=""){return g(`${e}${Is}`)||""}function xs(e=""){return bs.get(ks)||g(`${e}${ks}`)||""}function Ps(e=""){return g(`${e}${Ts}`)||""}function Rs(e=""){p(`${e}${Is}`),p(`${e}${ks}`),p(`${e}${Ts}`),bs.remove(ks)}const Us=ws&&(null===localStorage||void 0===localStorage?void 0:localStorage.getItem("fingerprint.endpoint.url"))||"https://api.descope.com",Cs="vsid",js="vrid";var qs={default:"endpoint"},As="Blocked by CSP",Ns="The endpoint parameter is not a valid URL",$s="Failed to load the JS script of the agent",Ms="9319";function Ds(e,t){var s,i,r,n,o,a=[],c=(s=function(e){var t=function(e,t,s){if(s||2===arguments.length)for(var i,r=0,n=t.length;r<n;r++)!i&&r in t||(i||(i=Array.prototype.slice.call(t,0,r)),i[r]=t[r]);return e.concat(i||Array.prototype.slice.call(t))}([],e,!0);return{current:function(){return t[0]},postpone:function(){var e=t.shift();void 0!==e&&t.push(e)},exclude:function(){t.shift()}}}(e),n=0,i=function(){return Math.random()*Math.min(3e3,100*Math.pow(2,n++))},r=new Set,[s.current(),function(e,t){var n,o=t instanceof Error?t.message:"";if(o===As||o===Ns)s.exclude(),n=0;else if(o===Ms)s.exclude();else if(o===$s){var a=Date.now()-e.getTime()<50,c=s.current();c&&a&&!r.has(c)&&(r.add(c),n=0),s.postpone()}else s.postpone();var l=s.current();return void 0===l?void 0:[l,null!=n?n:e.getTime()+i()-Date.now()]}]),l=c[0],d=c[1];if(void 0===l)return Promise.reject(new TypeError("The list of script URL patterns is empty"));var u=function(e){var s=new Date,i=function(t){return a.push({url:e,startedAt:s,finishedAt:new Date,error:t})},r=t(e);return r.then((function(){return i()}),i),r.catch((function(e){if(null!=o||(o=e),a.length>=5)throw o;var t=d(s,e);if(!t)throw o;var i,r=t[0],n=t[1];return(i=n,new Promise((function(e){return setTimeout(e,i)}))).then((function(){return u(r)}))}))};return u(l).then((function(e){return[e,a]}))}var Hs="https://fpnpmcdn.net/v<version>/<apiKey>/loader_v<loaderVersion>.js",Js=Hs;function Ls(s){var i;s.scriptUrlPattern;var r=s.token,n=s.apiKey,o=void 0===n?r:n,a=t(s,["scriptUrlPattern","token","apiKey"]),c=null!==(i=function(e,t){return function(e,t){return Object.prototype.hasOwnProperty.call(e,t)}(e,t)?e[t]:void 0}(s,"scriptUrlPattern"))&&void 0!==i?i:Hs,l=function(){var e=[],t=function(){e.push({time:new Date,state:document.visibilityState})},s=function(e,t,s,i){return e.addEventListener(t,s,i),function(){return e.removeEventListener(t,s,i)}}(document,"visibilitychange",t);return t(),[e,s]}(),d=l[0],u=l[1];return Promise.resolve().then((function(){if(!o||"string"!=typeof o)throw new Error("API key required");var e=function(e,t){return(Array.isArray(e)?e:[e]).map((function(e){return function(e,t){var s=encodeURIComponent;return e.replace(/<[^<>]+>/g,(function(e){return"<version>"===e?"3":"<apiKey>"===e?s(t):"<loaderVersion>"===e?s("3.11.6"):e}))}(String(e),t)}))}(c,o);return Ds(e,Ks)})).catch((function(e){throw u(),function(e){return e instanceof Error&&e.message===Ms?new Error($s):e}(e)})).then((function(t){var s=t[0],i=t[1];return u(),s.load(e(e({},a),{ldi:{attempts:i,visibilityStates:d}}))}))}function Ks(e){return function(e,t,s){var i,r=document,n="securitypolicyviolation",o=function(t){var s=new URL(e,location.href),r=t.blockedURI;r!==s.href&&r!==s.protocol.slice(0,-1)&&r!==s.origin||(i=t,a())};r.addEventListener(n,o);var a=function(){return r.removeEventListener(n,o)};return Promise.resolve().then(t).then((function(e){return a(),e}),(function(e){return new Promise((function(e){var t=new MessageChannel;t.port1.onmessage=function(){return e()},t.port2.postMessage(null)})).then((function(){if(a(),i)return s(i);throw e}))}))}(e,(function(){return function(e){return new Promise((function(t,s){if(function(e){if(URL.prototype)try{return new URL(e,location.href),!1}catch(e){if(e instanceof Error&&"TypeError"===e.name)return!0;throw e}}(e))throw new Error(Ns);var i=document.createElement("script"),r=function(){var e;return null===(e=i.parentNode)||void 0===e?void 0:e.removeChild(i)},n=document.head||document.getElementsByTagName("head")[0];i.onload=function(){r(),t()},i.onerror=function(){r(),s(new Error($s))},i.async=!0,i.src=e,n.appendChild(i)}))}(e)}),(function(){throw new Error(As)})).then(Ws)}function Ws(){var e=window,t="__fpjs_p_l_b",s=e[t];if(function(e,t){var s,i=null===(s=Object.getOwnPropertyDescriptor)||void 0===s?void 0:s.call(Object,e,t);(null==i?void 0:i.configurable)?delete e[t]:i&&!i.writable||(e[t]=void 0)}(e,t),"function"!=typeof(null==s?void 0:s.load))throw new Error(Ms);return s}const Fs=(e=!1)=>{const t=localStorage.getItem("fp");if(!t)return null;const s=JSON.parse(t);return(new Date).getTime()>s.expiry&&!e?null:s.value},zs=async(e,t=Us)=>{try{if(Fs())return;const s=(Date.now().toString(36)+Math.random().toString(36).substring(2)+Math.random().toString(36).substring(2)).substring(0,27),i=new URL(t);i.pathname="/fXj8gt3x8VulJBna/x96Emn69oZwcd7I6";const r=new URL(t);r.pathname="/fXj8gt3x8VulJBna/w78aRZnnDZ3Aqw0I";const n=r.toString()+"?apiKey=<apiKey>&version=<version>&loaderVersion=<loaderVersion>",o=Ls({apiKey:e,endpoint:[i.toString(),qs],scriptUrlPattern:[n,Js]}),a=await o,{requestId:c}=await a.get({linkedId:s}),l=((e,t)=>({[Cs]:e,[js]:t}))(s,c);(e=>{const t={value:e,expiry:(new Date).getTime()+864e5};localStorage.setItem("fp",JSON.stringify(t))})(l)}catch(e){console.warn("Could not load fingerprint",e)}},Bs=e=>{const t=Fs(!0);return t&&e.body&&(e.body.fpData=t),e},Vs="dls_last_user_login_id",Qs="dls_last_user_display_name",Gs=()=>g(Vs),Zs=()=>g(Qs),Ys=e=>async(...t)=>{var s;t[1]=t[1]||{};const[,i={}]=t,r=Gs(),n=Zs();r&&(null!==(s=i.lastAuth)&&void 0!==s||(i.lastAuth={}),i.lastAuth.loginId=r,i.lastAuth.name=n);return await e(...t)},Xs=e=>t=>async(...s)=>{const i=await t(...s);return e||(p(Vs),p(Qs)),i};function ei(){const e=[];return{pub:t=>{e.forEach((e=>e(t)))},sub:t=>{const s=e.push(t)-1;return()=>e.splice(s,1)}}}const ti=e=>t=>async(...s)=>{const i=await t(...s);return Rs(e),i};async function si(e){const t=function(e){var t;const s=JSON.parse(e);return s.publicKey.challenge=ci(s.publicKey.challenge),s.publicKey.user.id=ci(s.publicKey.user.id),null===(t=s.publicKey.excludeCredentials)||void 0===t||t.forEach((e=>{e.id=ci(e.id)})),s}(e),s=await navigator.credentials.create(t);return i=s,JSON.stringify({id:i.id,rawId:li(i.rawId),type:i.type,response:{attestationObject:li(i.response.attestationObject),clientDataJSON:li(i.response.clientDataJSON)}});var i}async function ii(e){const t=oi(e);return ai(await navigator.credentials.get(t))}async function ri(e,t){const s=oi(e);s.signal=t.signal,s.mediation="conditional";return ai(await navigator.credentials.get(s))}async function ni(e=!1){if(!ws)return Promise.resolve(!1);const t=!!(window.PublicKeyCredential&&navigator.credentials&&navigator.credentials.create&&navigator.credentials.get);return t&&e&&PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable?PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable():t}function oi(e){var t;const s=JSON.parse(e);return s.publicKey.challenge=ci(s.publicKey.challenge),null===(t=s.publicKey.allowCredentials)||void 0===t||t.forEach((e=>{e.id=ci(e.id)})),s}function ai(e){return JSON.stringify({id:e.id,rawId:li(e.rawId),type:e.type,response:{authenticatorData:li(e.response.authenticatorData),clientDataJSON:li(e.response.clientDataJSON),signature:li(e.response.signature),userHandle:e.response.userHandle?li(e.response.userHandle):void 0}})}function ci(e){const t=e.replace(/_/g,"/").replace(/-/g,"+");return Uint8Array.from(atob(t),(e=>e.charCodeAt(0))).buffer}function li(e){return btoa(String.fromCharCode.apply(null,new Uint8Array(e))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}var di,ui=(di=e=>({async signUp(t,s,i){const r=await e.webauthn.signUp.start(t,window.location.origin,s,i);if(!r.ok)return r;const n=await si(r.data.options);return await e.webauthn.signUp.finish(r.data.transactionId,n)},async signIn(t,s){const i=await e.webauthn.signIn.start(t,window.location.origin,void 0,void 0,s);if(!i.ok)return i;const r=await ii(i.data.options);return await e.webauthn.signIn.finish(i.data.transactionId,r)},async signUpOrIn(t,s){var i;const r=await e.webauthn.signUpOrIn.start(t,window.location.origin,s);if(!r.ok)return r;if(null===(i=r.data)||void 0===i?void 0:i.create){const t=await si(r.data.options);return await e.webauthn.signUp.finish(r.data.transactionId,t)}{const t=await ii(r.data.options);return await e.webauthn.signIn.finish(r.data.transactionId,t)}},async update(t,s,i){const r=await e.webauthn.update.start(t,window.location.origin,s,i);if(!r.ok)return r;const n=await si(r.data.options);return await e.webauthn.update.finish(r.data.transactionId,n)},helpers:{create:si,get:ii,isSupported:ni,conditional:ri}}),(...e)=>{const t=di(...e);return Object.assign(t.signUp,e[0].webauthn.signUp),Object.assign(t.signIn,e[0].webauthn.signIn),Object.assign(t.signUpOrIn,e[0].webauthn.signUpOrIn),Object.assign(t.update,e[0].webauthn.update),t});const hi={config:"/fedcm/config"},gi=(e,t)=>({async oneTap(t,s,i,r,n){const o=null!=t?t:"google",a=await e.oauth.startNative(o,i,!0);if(!a.ok)return a;const{clientId:c,stateId:l,nonce:d}=a.data,u=await async function(){return new Promise(((e,t)=>{if(window.google)return void e(window.google.accounts.id);let s=document.getElementById("google-gsi-client-script");s||(s=document.createElement("script"),document.head.appendChild(s),s.async=!0,s.defer=!0,s.id="google-gsi-client-script",s.src="https://accounts.google.com/gsi/client"),s.onload=function(){window.google?e(window.google.accounts.id):t("Failed to load Google GSI client script - not loaded properly")},s.onerror=function(){t("Failed to load Google GSI client script - failed to load")}}))}();return new Promise((t=>{var i,a;u.initialize(Object.assign(Object.assign({},s),{itp_support:null===(i=null==s?void 0:s.itp_support)||void 0===i||i,use_fedcm_for_prompt:null===(a=null==s?void 0:s.use_fedcm_for_prompt)||void 0===a||a,client_id:c,callback:s=>{t(e.oauth.finishNative(o,l,"","",s.credential))},nonce:d})),u.prompt((e=>{var t,s;if(n&&(null==e?void 0:e.isDismissedMoment())){const s=null===(t=e.getDismissedReason)||void 0===t?void 0:t.call(e);null==n||n(s)}else if(r&&(null==e?void 0:e.isSkippedMoment())){const t=null===(s=e.getSkippedReason)||void 0===s?void 0:s.call(e);null==r||r(t)}else;}))}))},async launch(s){var i;const r={identity:{context:s||"signin",providers:[{configURL:e.httpClient.buildUrl(t+hi.config),clientId:t}]}},n=await(null===(i=navigator.credentials)||void 0===i?void 0:i.get(r));return e.refresh(n.token)},isSupported:()=>ws&&"IdentityCredential"in window,async isLoggedIn(s){var i;const r=e.httpClient.buildUrl(t+hi.config);try{const e={identity:{context:s||"signin",providers:[{configURL:r,clientId:t}]}},n=await(null===(i=navigator.credentials)||void 0===i?void 0:i.get(e));return!!n&&!!n.token}catch(e){return!1}}});var pi=e=>Object.assign(Object.assign({},e.flow),{start:async(...t)=>{const s=await ni(),i=Object.assign(Object.assign({location:window.location.href},t[1]),{deviceInfo:{webAuthnSupport:s},startOptionsVersion:1});return t[1]=i,e.flow.start(...t)}});let _i;const wi=(e,t)=>new Promise(((s,i)=>{if(!e.length)return i(new Error("No URLs provided to loadScriptWithFallback"));const r=t();if(r)return s(r);const n=e.shift(),o=document.createElement("script");o.src=n,o.id=(e=>{let t=0;for(let s=0;s<e.length;s++)t=(t<<5)-t+e.charCodeAt(s),t|=0;return Math.abs(t).toString(16)})(n),o.onload=()=>{const e=t();if(e)return s(e);throw new Error("Could not get entry after loading script from URL")},o.addEventListener("error",(()=>{wi(e,t),o.setAttribute("data-error","true")})),document.body.appendChild(o)}));const fi=async(e,t,s)=>{_i||(_i=(async()=>{try{return Promise.resolve().then((function(){return kr}))}catch(e){return wi([ms,vs],(()=>window.oidc))}})());const{OidcClient:i,WebStorageStateStore:r}=await _i;if(!i)throw new Error("oidc-client-ts is not installed. Please install it by running `npm install oidc-client-ts`");const n=t,o=(null==s?void 0:s.redirectUri)||window.location.href,a=(null==s?void 0:s.scope)||"openid email roles descope.custom_claims offline_access",c=`${n}_user`;let l=e.httpClient.buildUrl(t);(null==s?void 0:s.applicationId)&&(l=`${l}/${s.applicationId}`);const d={authority:l,client_id:t,redirect_uri:o,response_type:"code",scope:a,stateStore:new r({store:window.localStorage,prefix:n}),loadUserInfo:!0,fetchRequestCredentials:"same-origin"};return(null==s?void 0:s.redirectUri)&&(d.redirect_uri=s.redirectUri),(null==s?void 0:s.scope)&&(d.scope=s.scope),{client:new i(d),stateUserKey:c}},mi=(e,t,s)=>{const i=async()=>{let i,r;return i&&r||({client:i,stateUserKey:r}=await fi(e,t,s)),{client:i,stateUserKey:r}},r=async(t="")=>{var s;const{client:r,stateUserKey:n}=await i(),o=await r.processSigninResponse(t||window.location.href);var a;return await(null===(s=e.httpClient.hooks)||void 0===s?void 0:s.afterRequest({},new Response(JSON.stringify(o)))),window.localStorage.setItem(n,JSON.stringify({id_token:(a=o).id_token,session_state:a.session_state,profile:a.profile})),(()=>{const e=new URL(window.location.href);e.searchParams.delete("code"),e.searchParams.delete("state"),window.history.replaceState({},document.title,e.toString())})(),o};return{login:async(e={},t=!1)=>{const{client:s}=await i(),r=await s.createSigninRequest(e),{url:n}=r;return t||(window.location.href=n),{ok:!0,data:r}},finishLogin:r,finishLoginIfNeed:async(e="")=>{if(window.location.search.includes("code")&&window.location.search.includes("state"))return await r(e)},refreshToken:async t=>{var s;const{client:r,stateUserKey:n}=await i(),o=(e=>{const t=window.localStorage.getItem(e);return t?JSON.parse(t):null})(n);if(!o)throw new Error("User not found in storage to refresh token");let a=t;if(!a){const t={};e.httpClient.hooks.beforeRequest(t),a=t.token}const c=await r.useRefreshToken({state:{refresh_token:a,session_state:o.session_state,profile:o.profile}});return await(null===(s=e.httpClient.hooks)||void 0===s?void 0:s.afterRequest({},new Response(JSON.stringify(c)))),c},logout:async(e,t=!1)=>{const{client:s,stateUserKey:r}=await i();e||(e={}),e.id_token_hint=e.id_token_hint||Ps(),e.post_logout_redirect_uri=e.post_logout_redirect_uri||window.location.href;const n=await s.createSignoutRequest(e),{url:o}=n;return window.localStorage.removeItem(r),t||window.location.replace(o),n}}},vi=function(...e){return t=>e.reduce(((e,t)=>t(e)),t)}((e=>s=>{var{fpKey:i,fpLoad:r}=s,n=t(s,["fpKey","fpLoad"]);return ws?(i&&r&&zs(i).catch((()=>null)),e(c(n,{beforeRequest:Bs}))):e(n)}),(e=>s=>{var{autoRefresh:i}=s,n=t(s,["autoRefresh"]);if(!i)return e(n);const{clearAllTimers:o,setTimer:a}=(()=>{const e=[];return{clearAllTimers:()=>{for(;e.length;)clearTimeout(e.pop())},setTimer:(t,s)=>{e.push(setTimeout(t,s))}}})();let d,u;ws&&document.addEventListener("visibilitychange",(()=>{"visible"===document.visibilityState&&d&&new Date>d&&(ps("Expiration time passed, refreshing session"),h.refresh(Os()||u))}));const h=e(c(n,{afterRequest:async(e,t)=>{const{sessionJwt:s,refreshJwt:i,sessionExpiration:n}=await l(t);if(401===(null==t?void 0:t.status))ps("Received 401, canceling all timers"),o();else if(s||n){if(d=((e,t)=>{if(t)return new Date(1e3*t);ps("Could not extract expiration time from session token, trying to decode the token");try{const t=r(e);if(t.exp)return new Date(1e3*t.exp)}catch(e){return null}})(s,n),!d)return void ps("Could not extract expiration time from session token");u=i;const e=ys(d);if(o(),e<=2e4)return void ps("Session is too close to expiration, not setting refresh timer");const t=new Date(Date.now()+e).toLocaleTimeString("en-US",{hour12:!1});ps(`Setting refresh timer for ${t}. (${e}ms)`),a((()=>{ps("Refreshing session due to timer"),h.refresh(Os()||i)}),e)}}}));return rt(h,["logout","logoutAll","oidc.logout"],(e=>async(...t)=>{const s=await e(...t);return ps("Clearing all timers"),o(),s}))}),(e=>t=>e(Object.assign(Object.assign({},t),{baseHeaders:Object.assign({"x-descope-sdk-name":"web-js","x-descope-sdk-version":"1.27.1"},t.baseHeaders)}))),(e=>t=>{const s=ei(),i=ei(),r=ei(),n=e(c(t,{afterRequest:async(e,t)=>{if(401===(null==t?void 0:t.status))i.pub(null),r.pub(null),s.pub(null);else{const e=await d(t);e&&r.pub(e);const{sessionJwt:n,sessionExpiration:o}=await l(t);n&&i.pub(n),(o||n)&&s.pub(o||42)}}})),o=rt(n,["logout","logoutAll","oidc.logout"],(e=>async(...t)=>{const n=await e(...t);return i.pub(null),r.pub(null),s.pub(null),n}));return Object.assign(o,{onSessionTokenChange:i.sub,onUserChange:r.sub,onIsAuthenticatedChange:e=>s.sub((t=>{e(!!t)}))})}),(e=>s=>{var{storeLastAuthenticatedUser:i=!0,keepLastAuthenticatedUserAfterLogout:r=!1}=s,n=t(s,["storeLastAuthenticatedUser","keepLastAuthenticatedUserAfterLogout"]);if(!i)return Object.assign(e(n),{getLastUserLoginId:Gs,getLastUserDisplayName:Zs});const o=e(c(n,{afterRequest:async(e,t)=>{var s;const i=await d(t),r=null===(s=null==i?void 0:i.loginIds)||void 0===s?void 0:s[0],n=null==i?void 0:i.name;r&&((e=>{h(Vs,e)})(r),(e=>{h(Qs,e)})(n))}}));let a=rt(o,["flow.start"],Ys);return a=rt(a,["logout","logoutAll"],Xs(r)),Object.assign(a,{getLastUserLoginId:Gs,getLastUserDisplayName:Zs})}),(e=>s=>{var{persistTokens:i,sessionTokenViaCookie:r,storagePrefix:n}=s,o=t(s,["persistTokens","sessionTokenViaCookie","storagePrefix"]);if(!i||!ws)return e(o);const a=e(c(o,{beforeRequest:(d=n,e=>Object.assign(e,{token:e.token||Os(d)})),afterRequest:async(e,t)=>{const s=/^\/v\d+\/mgmt\//.test(e.path);401===(null==t?void 0:t.status)?s||Rs(n):((e={},t=!1,s="")=>{var i;const{sessionJwt:r,refreshJwt:n}=e;if(n&&h(`${s}${Is}`,n),r)if(t){const s=t.sameSite||"Strict",n=null===(i=t.secure)||void 0===i||i;Es(ks,r,Object.assign(Object.assign({},e),{cookieSameSite:s,cookieSecure:n}))}else h(`${s}${ks}`,r);e.idToken&&h(`${s}${Ts}`,e.idToken)})(await l(t),r,n)}}));var d;const u=rt(a,["logout","logoutAll","oidc.logout"],ti(n));return Object.assign(u,{getRefreshToken:()=>Os(n),getSessionToken:()=>xs(n),getIdToken:()=>Ps(n)})}))((e=>{const t=gs(e),s=mi(t,e.projectId,e.oidcConfig);return Object.assign(Object.assign({},t),{refresh:async i=>{if(e.oidcConfig)try{await s.refreshToken(i);return Promise.resolve({ok:!0})}catch(e){return Promise.resolve({ok:!1,error:{errorCode:"J161001",errorDescription:e.toString()}})}const r=xs(),n=Os();return t.refresh(i,{dcs:r?"t":"f",dcr:n?"t":"f"})},logout:async i=>{if(e.oidcConfig)try{return await s.logout({id_token_hint:i}),Promise.resolve({ok:!0})}catch(e){return Promise.resolve({ok:!1,error:{errorCode:"J161000",errorDescription:e.toString()}})}return t.logout(i)},flow:pi(t),webauthn:ui(t),fedcm:gi(t,e.projectId),oidc:s})}));vi.REFRESH_TOKEN_KEY=Is,vi.SESSION_TOKEN_KEY=ks;var yi,Si,bi,ki={debug:()=>{},info:()=>{},warn:()=>{},error:()=>{}},Ii=(e=>(e[e.NONE=0]="NONE",e[e.ERROR=1]="ERROR",e[e.WARN=2]="WARN",e[e.INFO=3]="INFO",e[e.DEBUG=4]="DEBUG",e))(Ii||{});(bi=Ii||(Ii={})).reset=function(){yi=3,Si=ki},bi.setLevel=function(e){if(!(0<=e&&e<=4))throw new Error("Invalid log level");yi=e},bi.setLogger=function(e){Si=e};var Ti=class e{constructor(e){this._name=e}debug(...t){yi>=4&&Si.debug(e._format(this._name,this._method),...t)}info(...t){yi>=3&&Si.info(e._format(this._name,this._method),...t)}warn(...t){yi>=2&&Si.warn(e._format(this._name,this._method),...t)}error(...t){yi>=1&&Si.error(e._format(this._name,this._method),...t)}throw(e){throw this.error(e),e}create(e){const t=Object.create(this);return t._method=e,t.debug("begin"),t}static createStatic(t,s){const i=new e(`${t}.${s}`);return i.debug("begin"),i}static _format(e,t){const s=`[${e}]`;return t?`${s} ${t}:`:s}static debug(t,...s){yi>=4&&Si.debug(e._format(t),...s)}static info(t,...s){yi>=3&&Si.info(e._format(t),...s)}static warn(t,...s){yi>=2&&Si.warn(e._format(t),...s)}static error(t,...s){yi>=1&&Si.error(e._format(t),...s)}};Ii.reset();var Ei=class{static decode(e){try{return r(e)}catch(e){throw Ti.error("JwtUtils.decode",e),e}}static async generateSignedJwt(e,t,s){const i=`${Pi.encodeBase64Url((new TextEncoder).encode(JSON.stringify(e)))}.${Pi.encodeBase64Url((new TextEncoder).encode(JSON.stringify(t)))}`,r=await window.crypto.subtle.sign({name:"ECDSA",hash:{name:"SHA-256"}},s,(new TextEncoder).encode(i));return`${i}.${Pi.encodeBase64Url(new Uint8Array(r))}`}},Oi=e=>btoa([...new Uint8Array(e)].map((e=>String.fromCharCode(e))).join("")),xi=class e{static _randomWord(){const e=new Uint32Array(1);return crypto.getRandomValues(e),e[0]}static generateUUIDv4(){const t="10000000-1000-4000-8000-100000000000".replace(/[018]/g,(t=>(+t^e._randomWord()&15>>+t/4).toString(16)));return t.replace(/-/g,"")}static generateCodeVerifier(){return e.generateUUIDv4()+e.generateUUIDv4()+e.generateUUIDv4()}static async generateCodeChallenge(e){if(!crypto.subtle)throw new Error("Crypto.subtle is available only in secure contexts (HTTPS).");try{const t=(new TextEncoder).encode(e),s=await crypto.subtle.digest("SHA-256",t);return Oi(s).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}catch(e){throw Ti.error("CryptoUtils.generateCodeChallenge",e),e}}static generateBasicAuth(e,t){const s=(new TextEncoder).encode([e,t].join(":"));return Oi(s)}static async hash(e,t){const s=(new TextEncoder).encode(t),i=await crypto.subtle.digest(e,s);return new Uint8Array(i)}static async customCalculateJwkThumbprint(t){let s;switch(t.kty){case"RSA":s={e:t.e,kty:t.kty,n:t.n};break;case"EC":s={crv:t.crv,kty:t.kty,x:t.x,y:t.y};break;case"OKP":s={crv:t.crv,kty:t.kty,x:t.x};break;case"oct":s={crv:t.k,kty:t.kty};break;default:throw new Error("Unknown jwk type")}const i=await e.hash("SHA-256",JSON.stringify(s));return e.encodeBase64Url(i)}static async generateDPoPProof({url:t,accessToken:s,httpMethod:i,keyPair:r,nonce:n}){let o,a;const c={jti:window.crypto.randomUUID(),htm:null!=i?i:"GET",htu:t,iat:Math.floor(Date.now()/1e3)};s&&(o=await e.hash("SHA-256",s),a=e.encodeBase64Url(o),c.ath=a),n&&(c.nonce=n);try{const e=await crypto.subtle.exportKey("jwk",r.publicKey),t={alg:"ES256",typ:"dpop+jwt",jwk:{crv:e.crv,kty:e.kty,x:e.x,y:e.y}};return await Ei.generateSignedJwt(t,c,r.privateKey)}catch(e){throw e instanceof TypeError?new Error(`Error exporting dpop public key: ${e.message}`):e}}static async generateDPoPJkt(t){try{const s=await crypto.subtle.exportKey("jwk",t.publicKey);return await e.customCalculateJwkThumbprint(s)}catch(e){throw e instanceof TypeError?new Error(`Could not retrieve dpop keys from storage: ${e.message}`):e}}static async generateDPoPKeys(){return await window.crypto.subtle.generateKey({name:"ECDSA",namedCurve:"P-256"},!1,["sign","verify"])}};xi.encodeBase64Url=e=>Oi(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_");var Pi=xi,Ri=class{constructor(e){this._name=e,this._callbacks=[],this._logger=new Ti(`Event('${this._name}')`)}addHandler(e){return this._callbacks.push(e),()=>this.removeHandler(e)}removeHandler(e){const t=this._callbacks.lastIndexOf(e);t>=0&&this._callbacks.splice(t,1)}async raise(...e){this._logger.debug("raise:",...e);for(const t of this._callbacks)await t(...e)}},Ui=class{static center({...e}){var t;return null==e.width&&(e.width=null!=(t=[800,720,600,480].find((e=>e<=window.outerWidth/1.618)))?t:360),null!=e.left||(e.left=Math.max(0,Math.round(window.screenX+(window.outerWidth-e.width)/2))),null!=e.height&&(null!=e.top||(e.top=Math.max(0,Math.round(window.screenY+(window.outerHeight-e.height)/2)))),e}static serialize(e){return Object.entries(e).filter((([,e])=>null!=e)).map((([e,t])=>`${e}=${"boolean"!=typeof t?t:t?"yes":"no"}`)).join(",")}},Ci=class e extends Ri{constructor(){super(...arguments),this._logger=new Ti(`Timer('${this._name}')`),this._timerHandle=null,this._expiration=0,this._callback=()=>{const t=this._expiration-e.getEpochTime();this._logger.debug("timer completes in",t),this._expiration<=e.getEpochTime()&&(this.cancel(),super.raise())}}static getEpochTime(){return Math.floor(Date.now()/1e3)}init(t){const s=this._logger.create("init");t=Math.max(Math.floor(t),1);const i=e.getEpochTime()+t;if(this.expiration===i&&this._timerHandle)return void s.debug("skipping since already initialized for expiration at",this.expiration);this.cancel(),s.debug("using duration",t),this._expiration=i;const r=Math.min(t,5);this._timerHandle=setInterval(this._callback,1e3*r)}get expiration(){return this._expiration}cancel(){this._logger.create("cancel"),this._timerHandle&&(clearInterval(this._timerHandle),this._timerHandle=null)}},ji=class{static readParams(e,t="query"){if(!e)throw new TypeError("Invalid URL");const s=new URL(e,"http://127.0.0.1")["fragment"===t?"hash":"search"];return new URLSearchParams(s.slice(1))}},qi=";",Ai=class extends Error{constructor(e,t){var s,i,r;if(super(e.error_description||e.error||""),this.form=t,this.name="ErrorResponse",!e.error)throw Ti.error("ErrorResponse","No error passed"),new Error("No error passed");this.error=e.error,this.error_description=null!=(s=e.error_description)?s:null,this.error_uri=null!=(i=e.error_uri)?i:null,this.state=e.userState,this.session_state=null!=(r=e.session_state)?r:null,this.url_state=e.url_state}},Ni=class extends Error{constructor(e){super(e),this.name="ErrorTimeout"}},$i=class{constructor(e){this._logger=new Ti("AccessTokenEvents"),this._expiringTimer=new Ci("Access token expiring"),this._expiredTimer=new Ci("Access token expired"),this._expiringNotificationTimeInSeconds=e.expiringNotificationTimeInSeconds}async load(e){const t=this._logger.create("load");if(e.access_token&&void 0!==e.expires_in){const s=e.expires_in;if(t.debug("access token present, remaining duration:",s),s>0){let e=s-this._expiringNotificationTimeInSeconds;e<=0&&(e=1),t.debug("registering expiring timer, raising in",e,"seconds"),this._expiringTimer.init(e)}else t.debug("canceling existing expiring timer because we're past expiration."),this._expiringTimer.cancel();const i=s+1;t.debug("registering expired timer, raising in",i,"seconds"),this._expiredTimer.init(i)}else this._expiringTimer.cancel(),this._expiredTimer.cancel()}async unload(){this._logger.debug("unload: canceling existing access token timers"),this._expiringTimer.cancel(),this._expiredTimer.cancel()}addAccessTokenExpiring(e){return this._expiringTimer.addHandler(e)}removeAccessTokenExpiring(e){this._expiringTimer.removeHandler(e)}addAccessTokenExpired(e){return this._expiredTimer.addHandler(e)}removeAccessTokenExpired(e){this._expiredTimer.removeHandler(e)}},Mi=class{constructor(e,t,s,i,r){this._callback=e,this._client_id=t,this._intervalInSeconds=i,this._stopOnError=r,this._logger=new Ti("CheckSessionIFrame"),this._timer=null,this._session_state=null,this._message=e=>{e.origin===this._frame_origin&&e.source===this._frame.contentWindow&&("error"===e.data?(this._logger.error("error message from check session op iframe"),this._stopOnError&&this.stop()):"changed"===e.data?(this._logger.debug("changed message from check session op iframe"),this.stop(),this._callback()):this._logger.debug(e.data+" message from check session op iframe"))};const n=new URL(s);this._frame_origin=n.origin,this._frame=window.document.createElement("iframe"),this._frame.style.visibility="hidden",this._frame.style.position="fixed",this._frame.style.left="-1000px",this._frame.style.top="0",this._frame.width="0",this._frame.height="0",this._frame.src=n.href}load(){return new Promise((e=>{this._frame.onload=()=>{e()},window.document.body.appendChild(this._frame),window.addEventListener("message",this._message,!1)}))}start(e){if(this._session_state===e)return;this._logger.create("start"),this.stop(),this._session_state=e;const t=()=>{this._frame.contentWindow&&this._session_state&&this._frame.contentWindow.postMessage(this._client_id+" "+this._session_state,this._frame_origin)};t(),this._timer=setInterval(t,1e3*this._intervalInSeconds)}stop(){this._logger.create("stop"),this._session_state=null,this._timer&&(clearInterval(this._timer),this._timer=null)}},Di=class{constructor(){this._logger=new Ti("InMemoryWebStorage"),this._data={}}clear(){this._logger.create("clear"),this._data={}}getItem(e){return this._logger.create(`getItem('${e}')`),this._data[e]}setItem(e,t){this._logger.create(`setItem('${e}')`),this._data[e]=t}removeItem(e){this._logger.create(`removeItem('${e}')`),delete this._data[e]}get length(){return Object.getOwnPropertyNames(this._data).length}key(e){return Object.getOwnPropertyNames(this._data)[e]}},Hi=class extends Error{constructor(e,t){super(t),this.name="ErrorDPoPNonce",this.nonce=e}},Ji=class{constructor(e=[],t=null,s={}){this._jwtHandler=t,this._extraHeaders=s,this._logger=new Ti("JsonService"),this._contentTypes=[],this._contentTypes.push(...e,"application/json"),t&&this._contentTypes.push("application/jwt")}async fetchWithTimeout(e,t={}){const{timeoutInSeconds:s,...i}=t;if(!s)return await fetch(e,i);const r=new AbortController,n=setTimeout((()=>r.abort()),1e3*s);try{return await fetch(e,{...t,signal:r.signal})}catch(e){if(e instanceof DOMException&&"AbortError"===e.name)throw new Ni("Network timed out");throw e}finally{clearTimeout(n)}}async getJson(e,{token:t,credentials:s,timeoutInSeconds:i}={}){const r=this._logger.create("getJson"),n={Accept:this._contentTypes.join(", ")};let o;t&&(r.debug("token passed, setting Authorization header"),n.Authorization="Bearer "+t),this._appendExtraHeaders(n);try{r.debug("url:",e),o=await this.fetchWithTimeout(e,{method:"GET",headers:n,timeoutInSeconds:i,credentials:s})}catch(e){throw r.error("Network Error"),e}r.debug("HTTP response received, status",o.status);const a=o.headers.get("Content-Type");if(a&&!this._contentTypes.find((e=>a.startsWith(e)))&&r.throw(new Error(`Invalid response Content-Type: ${null!=a?a:"undefined"}, from URL: ${e}`)),o.ok&&this._jwtHandler&&(null==a?void 0:a.startsWith("application/jwt")))return await this._jwtHandler(await o.text());let c;try{c=await o.json()}catch(e){if(r.error("Error parsing JSON response",e),o.ok)throw e;throw new Error(`${o.statusText} (${o.status})`)}if(!o.ok){if(r.error("Error from server:",c),c.error)throw new Ai(c);throw new Error(`${o.statusText} (${o.status}): ${JSON.stringify(c)}`)}return c}async postForm(e,{body:t,basicAuth:s,timeoutInSeconds:i,initCredentials:r,extraHeaders:n}){const o=this._logger.create("postForm"),a={Accept:this._contentTypes.join(", "),"Content-Type":"application/x-www-form-urlencoded",...n};let c;void 0!==s&&(a.Authorization="Basic "+s),this._appendExtraHeaders(a);try{o.debug("url:",e),c=await this.fetchWithTimeout(e,{method:"POST",headers:a,body:t,timeoutInSeconds:i,credentials:r})}catch(e){throw o.error("Network error"),e}o.debug("HTTP response received, status",c.status);const l=c.headers.get("Content-Type");if(l&&!this._contentTypes.find((e=>l.startsWith(e))))throw new Error(`Invalid response Content-Type: ${null!=l?l:"undefined"}, from URL: ${e}`);const d=await c.text();let u={};if(d)try{u=JSON.parse(d)}catch(e){if(o.error("Error parsing JSON response",e),c.ok)throw e;throw new Error(`${c.statusText} (${c.status})`)}if(!c.ok){if(o.error("Error from server:",u),c.headers.has("dpop-nonce")){const e=c.headers.get("dpop-nonce");throw new Hi(e,`${JSON.stringify(u)}`)}if(u.error)throw new Ai(u,t);throw new Error(`${c.statusText} (${c.status}): ${JSON.stringify(u)}`)}return u}_appendExtraHeaders(e){const t=this._logger.create("appendExtraHeaders"),s=Object.keys(this._extraHeaders),i=["accept","content-type"],r=["authorization"];0!==s.length&&s.forEach((s=>{if(i.includes(s.toLocaleLowerCase()))return void t.warn("Protected header could not be set",s,i);if(r.includes(s.toLocaleLowerCase())&&Object.keys(e).includes(s))return void t.warn("Header could not be overridden",s,r);const n="function"==typeof this._extraHeaders[s]?this._extraHeaders[s]():this._extraHeaders[s];n&&""!==n&&(e[s]=n)}))}},Li=class{constructor(e){this._settings=e,this._logger=new Ti("MetadataService"),this._signingKeys=null,this._metadata=null,this._metadataUrl=this._settings.metadataUrl,this._jsonService=new Ji(["application/jwk-set+json"],null,this._settings.extraHeaders),this._settings.signingKeys&&(this._logger.debug("using signingKeys from settings"),this._signingKeys=this._settings.signingKeys),this._settings.metadata&&(this._logger.debug("using metadata from settings"),this._metadata=this._settings.metadata),this._settings.fetchRequestCredentials&&(this._logger.debug("using fetchRequestCredentials from settings"),this._fetchRequestCredentials=this._settings.fetchRequestCredentials)}resetSigningKeys(){this._signingKeys=null}async getMetadata(){const e=this._logger.create("getMetadata");if(this._metadata)return e.debug("using cached values"),this._metadata;if(!this._metadataUrl)throw e.throw(new Error("No authority or metadataUrl configured on settings")),null;e.debug("getting metadata from",this._metadataUrl);const t=await this._jsonService.getJson(this._metadataUrl,{credentials:this._fetchRequestCredentials,timeoutInSeconds:this._settings.requestTimeoutInSeconds});return e.debug("merging remote JSON with seed metadata"),this._metadata=Object.assign({},t,this._settings.metadataSeed),this._metadata}getIssuer(){return this._getMetadataProperty("issuer")}getAuthorizationEndpoint(){return this._getMetadataProperty("authorization_endpoint")}getUserInfoEndpoint(){return this._getMetadataProperty("userinfo_endpoint")}getTokenEndpoint(e=!0){return this._getMetadataProperty("token_endpoint",e)}getCheckSessionIframe(){return this._getMetadataProperty("check_session_iframe",!0)}getEndSessionEndpoint(){return this._getMetadataProperty("end_session_endpoint",!0)}getRevocationEndpoint(e=!0){return this._getMetadataProperty("revocation_endpoint",e)}getKeysEndpoint(e=!0){return this._getMetadataProperty("jwks_uri",e)}async _getMetadataProperty(e,t=!1){const s=this._logger.create(`_getMetadataProperty('${e}')`),i=await this.getMetadata();if(s.debug("resolved"),void 0===i[e]){if(!0===t)return void s.warn("Metadata does not contain optional property");s.throw(new Error("Metadata does not contain property "+e))}return i[e]}async getSigningKeys(){const e=this._logger.create("getSigningKeys");if(this._signingKeys)return e.debug("returning signingKeys from cache"),this._signingKeys;const t=await this.getKeysEndpoint(!1);e.debug("got jwks_uri",t);const s=await this._jsonService.getJson(t,{timeoutInSeconds:this._settings.requestTimeoutInSeconds});if(e.debug("got key set",s),!Array.isArray(s.keys))throw e.throw(new Error("Missing keys on keyset")),null;return this._signingKeys=s.keys,this._signingKeys}},Ki=class{constructor({prefix:e="oidc.",store:t=localStorage}={}){this._logger=new Ti("WebStorageStateStore"),this._store=t,this._prefix=e}async set(e,t){this._logger.create(`set('${e}')`),e=this._prefix+e,await this._store.setItem(e,t)}async get(e){this._logger.create(`get('${e}')`),e=this._prefix+e;return await this._store.getItem(e)}async remove(e){this._logger.create(`remove('${e}')`),e=this._prefix+e;const t=await this._store.getItem(e);return await this._store.removeItem(e),t}async getAllKeys(){this._logger.create("getAllKeys");const e=await this._store.length,t=[];for(let s=0;s<e;s++){const e=await this._store.key(s);e&&0===e.indexOf(this._prefix)&&t.push(e.substr(this._prefix.length))}return t}},Wi=class{constructor({authority:e,metadataUrl:t,metadata:s,signingKeys:i,metadataSeed:r,client_id:n,client_secret:o,response_type:a="code",scope:c="openid",redirect_uri:l,post_logout_redirect_uri:d,client_authentication:u="client_secret_post",prompt:h,display:g,max_age:p,ui_locales:_,acr_values:w,resource:f,response_mode:m,filterProtocolClaims:v=!0,loadUserInfo:y=!1,requestTimeoutInSeconds:S,staleStateAgeInSeconds:b=900,mergeClaimsStrategy:k={array:"replace"},disablePKCE:I=!1,stateStore:T,revokeTokenAdditionalContentTypes:E,fetchRequestCredentials:O,refreshTokenAllowedScope:x,extraQueryParams:P={},extraTokenParams:R={},extraHeaders:U={},dpop:C,omitScopeWhenRequesting:j=!1}){var q;if(this.authority=e,t?this.metadataUrl=t:(this.metadataUrl=e,e&&(this.metadataUrl.endsWith("/")||(this.metadataUrl+="/"),this.metadataUrl+=".well-known/openid-configuration")),this.metadata=s,this.metadataSeed=r,this.signingKeys=i,this.client_id=n,this.client_secret=o,this.response_type=a,this.scope=c,this.redirect_uri=l,this.post_logout_redirect_uri=d,this.client_authentication=u,this.prompt=h,this.display=g,this.max_age=p,this.ui_locales=_,this.acr_values=w,this.resource=f,this.response_mode=m,this.filterProtocolClaims=null==v||v,this.loadUserInfo=!!y,this.staleStateAgeInSeconds=b,this.mergeClaimsStrategy=k,this.omitScopeWhenRequesting=j,this.disablePKCE=!!I,this.revokeTokenAdditionalContentTypes=E,this.fetchRequestCredentials=O||"same-origin",this.requestTimeoutInSeconds=S,T)this.stateStore=T;else{const e="undefined"!=typeof window?window.localStorage:new Di;this.stateStore=new Ki({store:e})}if(this.refreshTokenAllowedScope=x,this.extraQueryParams=P,this.extraTokenParams=R,this.extraHeaders=U,this.dpop=C,this.dpop&&!(null==(q=this.dpop)?void 0:q.store))throw new Error("A DPoPStore is required when dpop is enabled")}},Fi=class{constructor(e,t){this._settings=e,this._metadataService=t,this._logger=new Ti("UserInfoService"),this._getClaimsFromJwt=async e=>{const t=this._logger.create("_getClaimsFromJwt");try{const s=Ei.decode(e);return t.debug("JWT decoding successful"),s}catch(e){throw t.error("Error parsing JWT response"),e}},this._jsonService=new Ji(void 0,this._getClaimsFromJwt,this._settings.extraHeaders)}async getClaims(e){const t=this._logger.create("getClaims");e||this._logger.throw(new Error("No token passed"));const s=await this._metadataService.getUserInfoEndpoint();t.debug("got userinfo url",s);const i=await this._jsonService.getJson(s,{token:e,credentials:this._settings.fetchRequestCredentials,timeoutInSeconds:this._settings.requestTimeoutInSeconds});return t.debug("got claims",i),i}},zi=class{constructor(e,t){this._settings=e,this._metadataService=t,this._logger=new Ti("TokenClient"),this._jsonService=new Ji(this._settings.revokeTokenAdditionalContentTypes,null,this._settings.extraHeaders)}async exchangeCode({grant_type:e="authorization_code",redirect_uri:t=this._settings.redirect_uri,client_id:s=this._settings.client_id,client_secret:i=this._settings.client_secret,extraHeaders:r,...n}){const o=this._logger.create("exchangeCode");s||o.throw(new Error("A client_id is required")),t||o.throw(new Error("A redirect_uri is required")),n.code||o.throw(new Error("A code is required"));const a=new URLSearchParams({grant_type:e,redirect_uri:t});for(const[e,t]of Object.entries(n))null!=t&&a.set(e,t);let c;switch(this._settings.client_authentication){case"client_secret_basic":if(null==i)throw o.throw(new Error("A client_secret is required")),null;c=Pi.generateBasicAuth(s,i);break;case"client_secret_post":a.append("client_id",s),i&&a.append("client_secret",i)}const l=await this._metadataService.getTokenEndpoint(!1);o.debug("got token endpoint");const d=await this._jsonService.postForm(l,{body:a,basicAuth:c,timeoutInSeconds:this._settings.requestTimeoutInSeconds,initCredentials:this._settings.fetchRequestCredentials,extraHeaders:r});return o.debug("got response"),d}async exchangeCredentials({grant_type:e="password",client_id:t=this._settings.client_id,client_secret:s=this._settings.client_secret,scope:i=this._settings.scope,...r}){const n=this._logger.create("exchangeCredentials");t||n.throw(new Error("A client_id is required"));const o=new URLSearchParams({grant_type:e});this._settings.omitScopeWhenRequesting||o.set("scope",i);for(const[e,t]of Object.entries(r))null!=t&&o.set(e,t);let a;switch(this._settings.client_authentication){case"client_secret_basic":if(null==s)throw n.throw(new Error("A client_secret is required")),null;a=Pi.generateBasicAuth(t,s);break;case"client_secret_post":o.append("client_id",t),s&&o.append("client_secret",s)}const c=await this._metadataService.getTokenEndpoint(!1);n.debug("got token endpoint");const l=await this._jsonService.postForm(c,{body:o,basicAuth:a,timeoutInSeconds:this._settings.requestTimeoutInSeconds,initCredentials:this._settings.fetchRequestCredentials});return n.debug("got response"),l}async exchangeRefreshToken({grant_type:e="refresh_token",client_id:t=this._settings.client_id,client_secret:s=this._settings.client_secret,timeoutInSeconds:i,extraHeaders:r,...n}){const o=this._logger.create("exchangeRefreshToken");t||o.throw(new Error("A client_id is required")),n.refresh_token||o.throw(new Error("A refresh_token is required"));const a=new URLSearchParams({grant_type:e});for(const[e,t]of Object.entries(n))Array.isArray(t)?t.forEach((t=>a.append(e,t))):null!=t&&a.set(e,t);let c;switch(this._settings.client_authentication){case"client_secret_basic":if(null==s)throw o.throw(new Error("A client_secret is required")),null;c=Pi.generateBasicAuth(t,s);break;case"client_secret_post":a.append("client_id",t),s&&a.append("client_secret",s)}const l=await this._metadataService.getTokenEndpoint(!1);o.debug("got token endpoint");const d=await this._jsonService.postForm(l,{body:a,basicAuth:c,timeoutInSeconds:i,initCredentials:this._settings.fetchRequestCredentials,extraHeaders:r});return o.debug("got response"),d}async revoke(e){var t;const s=this._logger.create("revoke");e.token||s.throw(new Error("A token is required"));const i=await this._metadataService.getRevocationEndpoint(!1);s.debug(`got revocation endpoint, revoking ${null!=(t=e.token_type_hint)?t:"default token type"}`);const r=new URLSearchParams;for(const[t,s]of Object.entries(e))null!=s&&r.set(t,s);r.set("client_id",this._settings.client_id),this._settings.client_secret&&r.set("client_secret",this._settings.client_secret),await this._jsonService.postForm(i,{body:r,timeoutInSeconds:this._settings.requestTimeoutInSeconds}),s.debug("got response")}},Bi=class{constructor(e,t,s){this._settings=e,this._metadataService=t,this._claimsService=s,this._logger=new Ti("ResponseValidator"),this._userInfoService=new Fi(this._settings,this._metadataService),this._tokenClient=new zi(this._settings,this._metadataService)}async validateSigninResponse(e,t,s){const i=this._logger.create("validateSigninResponse");this._processSigninState(e,t),i.debug("state processed"),await this._processCode(e,t,s),i.debug("code processed"),e.isOpenId&&this._validateIdTokenAttributes(e),i.debug("tokens validated"),await this._processClaims(e,null==t?void 0:t.skipUserInfo,e.isOpenId),i.debug("claims processed")}async validateCredentialsResponse(e,t){const s=this._logger.create("validateCredentialsResponse");e.isOpenId&&e.id_token&&this._validateIdTokenAttributes(e),s.debug("tokens validated"),await this._processClaims(e,t,e.isOpenId),s.debug("claims processed")}async validateRefreshResponse(e,t){const s=this._logger.create("validateRefreshResponse");e.userState=t.data,null!=e.session_state||(e.session_state=t.session_state),null!=e.scope||(e.scope=t.scope),e.isOpenId&&e.id_token&&(this._validateIdTokenAttributes(e,t.id_token),s.debug("ID Token validated")),e.id_token||(e.id_token=t.id_token,e.profile=t.profile);const i=e.isOpenId&&!!e.id_token;await this._processClaims(e,!1,i),s.debug("claims processed")}validateSignoutResponse(e,t){const s=this._logger.create("validateSignoutResponse");if(t.id!==e.state&&s.throw(new Error("State does not match")),s.debug("state validated"),e.userState=t.data,e.error)throw s.warn("Response was error",e.error),new Ai(e)}_processSigninState(e,t){const s=this._logger.create("_processSigninState");if(t.id!==e.state&&s.throw(new Error("State does not match")),t.client_id||s.throw(new Error("No client_id on state")),t.authority||s.throw(new Error("No authority on state")),this._settings.authority!==t.authority&&s.throw(new Error("authority mismatch on settings vs. signin state")),this._settings.client_id&&this._settings.client_id!==t.client_id&&s.throw(new Error("client_id mismatch on settings vs. signin state")),s.debug("state validated"),e.userState=t.data,e.url_state=t.url_state,null!=e.scope||(e.scope=t.scope),e.error)throw s.warn("Response was error",e.error),new Ai(e);t.code_verifier&&!e.code&&s.throw(new Error("Expected code in response"))}async _processClaims(e,t=!1,s=!0){const i=this._logger.create("_processClaims");if(e.profile=this._claimsService.filterProtocolClaims(e.profile),t||!this._settings.loadUserInfo||!e.access_token)return void i.debug("not loading user info");i.debug("loading user info");const r=await this._userInfoService.getClaims(e.access_token);i.debug("user info claims received from user info endpoint"),s&&r.sub!==e.profile.sub&&i.throw(new Error("subject from UserInfo response does not match subject in ID Token")),e.profile=this._claimsService.mergeClaims(e.profile,this._claimsService.filterProtocolClaims(r)),i.debug("user info claims received, updated profile:",e.profile)}async _processCode(e,t,s){const i=this._logger.create("_processCode");if(e.code){i.debug("Validating code");const r=await this._tokenClient.exchangeCode({client_id:t.client_id,client_secret:t.client_secret,code:e.code,redirect_uri:t.redirect_uri,code_verifier:t.code_verifier,extraHeaders:s,...t.extraTokenParams});Object.assign(e,r)}else i.debug("No code to process")}_validateIdTokenAttributes(e,t){var s;const i=this._logger.create("_validateIdTokenAttributes");i.debug("decoding ID Token JWT");const r=Ei.decode(null!=(s=e.id_token)?s:"");if(r.sub||i.throw(new Error("ID Token is missing a subject claim")),t){const e=Ei.decode(t);r.sub!==e.sub&&i.throw(new Error("sub in id_token does not match current sub")),r.auth_time&&r.auth_time!==e.auth_time&&i.throw(new Error("auth_time in id_token does not match original auth_time")),r.azp&&r.azp!==e.azp&&i.throw(new Error("azp in id_token does not match original azp")),!r.azp&&e.azp&&i.throw(new Error("azp not in id_token, but present in original id_token"))}e.profile=r}},Vi=class e{constructor(e){this.id=e.id||Pi.generateUUIDv4(),this.data=e.data,e.created&&e.created>0?this.created=e.created:this.created=Ci.getEpochTime(),this.request_type=e.request_type,this.url_state=e.url_state}toStorageString(){return new Ti("State").create("toStorageString"),JSON.stringify({id:this.id,data:this.data,created:this.created,request_type:this.request_type,url_state:this.url_state})}static fromStorageString(t){return Ti.createStatic("State","fromStorageString"),Promise.resolve(new e(JSON.parse(t)))}static async clearStaleState(t,s){const i=Ti.createStatic("State","clearStaleState"),r=Ci.getEpochTime()-s,n=await t.getAllKeys();i.debug("got keys",n);for(let s=0;s<n.length;s++){const o=n[s],a=await t.get(o);let c=!1;if(a)try{const t=await e.fromStorageString(a);i.debug("got item from key:",o,t.created),t.created<=r&&(c=!0)}catch(e){i.error("Error parsing state for key:",o,e),c=!0}else i.debug("no item in storage for key:",o),c=!0;c&&(i.debug("removed item for key:",o),t.remove(o))}}},Qi=class e extends Vi{constructor(e){super(e),this.code_verifier=e.code_verifier,this.code_challenge=e.code_challenge,this.authority=e.authority,this.client_id=e.client_id,this.redirect_uri=e.redirect_uri,this.scope=e.scope,this.client_secret=e.client_secret,this.extraTokenParams=e.extraTokenParams,this.response_mode=e.response_mode,this.skipUserInfo=e.skipUserInfo}static async create(t){const s=!0===t.code_verifier?Pi.generateCodeVerifier():t.code_verifier||void 0,i=s?await Pi.generateCodeChallenge(s):void 0;return new e({...t,code_verifier:s,code_challenge:i})}toStorageString(){return new Ti("SigninState").create("toStorageString"),JSON.stringify({id:this.id,data:this.data,created:this.created,request_type:this.request_type,url_state:this.url_state,code_verifier:this.code_verifier,authority:this.authority,client_id:this.client_id,redirect_uri:this.redirect_uri,scope:this.scope,client_secret:this.client_secret,extraTokenParams:this.extraTokenParams,response_mode:this.response_mode,skipUserInfo:this.skipUserInfo})}static fromStorageString(t){Ti.createStatic("SigninState","fromStorageString");const s=JSON.parse(t);return e.create(s)}},Gi=class e{constructor(e){this.url=e.url,this.state=e.state}static async create({url:t,authority:s,client_id:i,redirect_uri:r,response_type:n,scope:o,state_data:a,response_mode:c,request_type:l,client_secret:d,nonce:u,url_state:h,resource:g,skipUserInfo:p,extraQueryParams:_,extraTokenParams:w,disablePKCE:f,dpopJkt:m,omitScopeWhenRequesting:v,...y}){if(!t)throw this._logger.error("create: No url passed"),new Error("url");if(!i)throw this._logger.error("create: No client_id passed"),new Error("client_id");if(!r)throw this._logger.error("create: No redirect_uri passed"),new Error("redirect_uri");if(!n)throw this._logger.error("create: No response_type passed"),new Error("response_type");if(!o)throw this._logger.error("create: No scope passed"),new Error("scope");if(!s)throw this._logger.error("create: No authority passed"),new Error("authority");const S=await Qi.create({data:a,request_type:l,url_state:h,code_verifier:!f,client_id:i,authority:s,redirect_uri:r,response_mode:c,client_secret:d,scope:o,extraTokenParams:w,skipUserInfo:p}),b=new URL(t);b.searchParams.append("client_id",i),b.searchParams.append("redirect_uri",r),b.searchParams.append("response_type",n),v||b.searchParams.append("scope",o),u&&b.searchParams.append("nonce",u),m&&b.searchParams.append("dpop_jkt",m);let k=S.id;if(h&&(k=`${k}${qi}${h}`),b.searchParams.append("state",k),S.code_challenge&&(b.searchParams.append("code_challenge",S.code_challenge),b.searchParams.append("code_challenge_method","S256")),g){(Array.isArray(g)?g:[g]).forEach((e=>b.searchParams.append("resource",e)))}for(const[e,t]of Object.entries({response_mode:c,...y,..._}))null!=t&&b.searchParams.append(e,t.toString());return new e({url:b.href,state:S})}};Gi._logger=new Ti("SigninRequest");var Zi=Gi,Yi=class{constructor(e){if(this.access_token="",this.token_type="",this.profile={},this.state=e.get("state"),this.session_state=e.get("session_state"),this.state){const e=decodeURIComponent(this.state).split(qi);this.state=e[0],e.length>1&&(this.url_state=e.slice(1).join(qi))}this.error=e.get("error"),this.error_description=e.get("error_description"),this.error_uri=e.get("error_uri"),this.code=e.get("code")}get expires_in(){if(void 0!==this.expires_at)return this.expires_at-Ci.getEpochTime()}set expires_in(e){"string"==typeof e&&(e=Number(e)),void 0!==e&&e>=0&&(this.expires_at=Math.floor(e)+Ci.getEpochTime())}get isOpenId(){var e;return(null==(e=this.scope)?void 0:e.split(" ").includes("openid"))||!!this.id_token}},Xi=class{constructor({url:e,state_data:t,id_token_hint:s,post_logout_redirect_uri:i,extraQueryParams:r,request_type:n,client_id:o,url_state:a}){if(this._logger=new Ti("SignoutRequest"),!e)throw this._logger.error("ctor: No url passed"),new Error("url");const c=new URL(e);if(s&&c.searchParams.append("id_token_hint",s),o&&c.searchParams.append("client_id",o),i&&(c.searchParams.append("post_logout_redirect_uri",i),t||a)){this.state=new Vi({data:t,request_type:n,url_state:a});let e=this.state.id;a&&(e=`${e}${qi}${a}`),c.searchParams.append("state",e)}for(const[e,t]of Object.entries({...r}))null!=t&&c.searchParams.append(e,t.toString());this.url=c.href}},er=class{constructor(e){if(this.state=e.get("state"),this.state){const e=decodeURIComponent(this.state).split(qi);this.state=e[0],e.length>1&&(this.url_state=e.slice(1).join(qi))}this.error=e.get("error"),this.error_description=e.get("error_description"),this.error_uri=e.get("error_uri")}},tr=["nbf","jti","auth_time","nonce","acr","amr","azp","at_hash"],sr=["sub","iss","aud","exp","iat"],ir=class{constructor(e){this._settings=e,this._logger=new Ti("ClaimsService")}filterProtocolClaims(e){const t={...e};if(this._settings.filterProtocolClaims){let e;e=Array.isArray(this._settings.filterProtocolClaims)?this._settings.filterProtocolClaims:tr;for(const s of e)sr.includes(s)||delete t[s]}return t}mergeClaims(e,t){const s={...e};for(const[e,i]of Object.entries(t))if(s[e]!==i)if(Array.isArray(s[e])||Array.isArray(i))if("replace"==this._settings.mergeClaimsStrategy.array)s[e]=i;else{const t=Array.isArray(s[e])?s[e]:[s[e]];for(const e of Array.isArray(i)?i:[i])t.includes(e)||t.push(e);s[e]=t}else"object"==typeof s[e]&&"object"==typeof i?s[e]=this.mergeClaims(s[e],i):s[e]=i;return s}},rr=class{constructor(e,t){this.keys=e,this.nonce=t}},nr=class{constructor(e,t){this._logger=new Ti("OidcClient"),this.settings=e instanceof Wi?e:new Wi(e),this.metadataService=null!=t?t:new Li(this.settings),this._claimsService=new ir(this.settings),this._validator=new Bi(this.settings,this.metadataService,this._claimsService),this._tokenClient=new zi(this.settings,this.metadataService)}async createSigninRequest({state:e,request:t,request_uri:s,request_type:i,id_token_hint:r,login_hint:n,skipUserInfo:o,nonce:a,url_state:c,response_type:l=this.settings.response_type,scope:d=this.settings.scope,redirect_uri:u=this.settings.redirect_uri,prompt:h=this.settings.prompt,display:g=this.settings.display,max_age:p=this.settings.max_age,ui_locales:_=this.settings.ui_locales,acr_values:w=this.settings.acr_values,resource:f=this.settings.resource,response_mode:m=this.settings.response_mode,extraQueryParams:v=this.settings.extraQueryParams,extraTokenParams:y=this.settings.extraTokenParams,dpopJkt:S,omitScopeWhenRequesting:b=this.settings.omitScopeWhenRequesting}){const k=this._logger.create("createSigninRequest");if("code"!==l)throw new Error("Only the Authorization Code flow (with PKCE) is supported");const I=await this.metadataService.getAuthorizationEndpoint();k.debug("Received authorization endpoint",I);const T=await Zi.create({url:I,authority:this.settings.authority,client_id:this.settings.client_id,redirect_uri:u,response_type:l,scope:d,state_data:e,url_state:c,prompt:h,display:g,max_age:p,ui_locales:_,id_token_hint:r,login_hint:n,acr_values:w,dpopJkt:S,resource:f,request:t,request_uri:s,extraQueryParams:v,extraTokenParams:y,request_type:i,response_mode:m,client_secret:this.settings.client_secret,skipUserInfo:o,nonce:a,disablePKCE:this.settings.disablePKCE,omitScopeWhenRequesting:b});await this.clearStaleState();const E=T.state;return await this.settings.stateStore.set(E.id,E.toStorageString()),T}async readSigninResponseState(e,t=!1){const s=this._logger.create("readSigninResponseState"),i=new Yi(ji.readParams(e,this.settings.response_mode));if(!i.state)throw s.throw(new Error("No state in response")),null;const r=await this.settings.stateStore[t?"remove":"get"](i.state);if(!r)throw s.throw(new Error("No matching state found in storage")),null;return{state:await Qi.fromStorageString(r),response:i}}async processSigninResponse(e,t,s=!0){const i=this._logger.create("processSigninResponse"),{state:r,response:n}=await this.readSigninResponseState(e,s);if(i.debug("received state from storage; validating response"),this.settings.dpop&&this.settings.dpop.store){const e=await this.getDpopProof(this.settings.dpop.store);t={...t,DPoP:e}}try{await this._validator.validateSigninResponse(n,r,t)}catch(e){if(!(e instanceof Hi&&this.settings.dpop))throw e;{const s=await this.getDpopProof(this.settings.dpop.store,e.nonce);t.DPoP=s,await this._validator.validateSigninResponse(n,r,t)}}return n}async getDpopProof(e,t){let s,i;return(await e.getAllKeys()).includes(this.settings.client_id)?(i=await e.get(this.settings.client_id),i.nonce!==t&&t&&(i.nonce=t,await e.set(this.settings.client_id,i))):(s=await Pi.generateDPoPKeys(),i=new rr(s,t),await e.set(this.settings.client_id,i)),await Pi.generateDPoPProof({url:await this.metadataService.getTokenEndpoint(!1),httpMethod:"POST",keyPair:i.keys,nonce:i.nonce})}async processResourceOwnerPasswordCredentials({username:e,password:t,skipUserInfo:s=!1,extraTokenParams:i={}}){const r=await this._tokenClient.exchangeCredentials({username:e,password:t,...i}),n=new Yi(new URLSearchParams);return Object.assign(n,r),await this._validator.validateCredentialsResponse(n,s),n}async useRefreshToken({state:e,redirect_uri:t,resource:s,timeoutInSeconds:i,extraHeaders:r,extraTokenParams:n}){var o;const a=this._logger.create("useRefreshToken");let c,l;if(void 0===this.settings.refreshTokenAllowedScope)c=e.scope;else{const t=this.settings.refreshTokenAllowedScope.split(" ");c=((null==(o=e.scope)?void 0:o.split(" "))||[]).filter((e=>t.includes(e))).join(" ")}if(this.settings.dpop&&this.settings.dpop.store){const e=await this.getDpopProof(this.settings.dpop.store);r={...r,DPoP:e}}try{l=await this._tokenClient.exchangeRefreshToken({refresh_token:e.refresh_token,scope:c,redirect_uri:t,resource:s,timeoutInSeconds:i,extraHeaders:r,...n})}catch(o){if(!(o instanceof Hi&&this.settings.dpop))throw o;r.DPoP=await this.getDpopProof(this.settings.dpop.store,o.nonce),l=await this._tokenClient.exchangeRefreshToken({refresh_token:e.refresh_token,scope:c,redirect_uri:t,resource:s,timeoutInSeconds:i,extraHeaders:r,...n})}const d=new Yi(new URLSearchParams);return Object.assign(d,l),a.debug("validating response",d),await this._validator.validateRefreshResponse(d,{...e,scope:c}),d}async createSignoutRequest({state:e,id_token_hint:t,client_id:s,request_type:i,url_state:r,post_logout_redirect_uri:n=this.settings.post_logout_redirect_uri,extraQueryParams:o=this.settings.extraQueryParams}={}){const a=this._logger.create("createSignoutRequest"),c=await this.metadataService.getEndSessionEndpoint();if(!c)throw a.throw(new Error("No end session endpoint")),null;a.debug("Received end session endpoint",c),s||!n||t||(s=this.settings.client_id);const l=new Xi({url:c,id_token_hint:t,client_id:s,post_logout_redirect_uri:n,state_data:e,extraQueryParams:o,request_type:i,url_state:r});await this.clearStaleState();const d=l.state;return d&&(a.debug("Signout request has state to persist"),await this.settings.stateStore.set(d.id,d.toStorageString())),l}async readSignoutResponseState(e,t=!1){const s=this._logger.create("readSignoutResponseState"),i=new er(ji.readParams(e,this.settings.response_mode));if(!i.state){if(s.debug("No state in response"),i.error)throw s.warn("Response was error:",i.error),new Ai(i);return{state:void 0,response:i}}const r=await this.settings.stateStore[t?"remove":"get"](i.state);if(!r)throw s.throw(new Error("No matching state found in storage")),null;return{state:await Vi.fromStorageString(r),response:i}}async processSignoutResponse(e){const t=this._logger.create("processSignoutResponse"),{state:s,response:i}=await this.readSignoutResponseState(e,!0);return s?(t.debug("Received state from storage; validating response"),this._validator.validateSignoutResponse(i,s)):t.debug("No state from storage; skipping response validation"),i}clearStaleState(){return this._logger.create("clearStaleState"),Vi.clearStaleState(this.settings.stateStore,this.settings.staleStateAgeInSeconds)}async revokeToken(e,t){return this._logger.create("revokeToken"),await this._tokenClient.revoke({token:e,token_type_hint:t})}},or=class{constructor(e){this._userManager=e,this._logger=new Ti("SessionMonitor"),this._start=async e=>{const t=e.session_state;if(!t)return;const s=this._logger.create("_start");if(e.profile?(this._sub=e.profile.sub,s.debug("session_state",t,", sub",this._sub)):(this._sub=void 0,s.debug("session_state",t,", anonymous user")),this._checkSessionIFrame)this._checkSessionIFrame.start(t);else try{const e=await this._userManager.metadataService.getCheckSessionIframe();if(e){s.debug("initializing check session iframe");const i=this._userManager.settings.client_id,r=this._userManager.settings.checkSessionIntervalInSeconds,n=this._userManager.settings.stopCheckSessionOnError,o=new Mi(this._callback,i,e,r,n);await o.load(),this._checkSessionIFrame=o,o.start(t)}else s.warn("no check session iframe found in the metadata")}catch(e){s.error("Error from getCheckSessionIframe:",e instanceof Error?e.message:e)}},this._stop=()=>{const e=this._logger.create("_stop");if(this._sub=void 0,this._checkSessionIFrame&&this._checkSessionIFrame.stop(),this._userManager.settings.monitorAnonymousSession){const t=setInterval((async()=>{clearInterval(t);try{const e=await this._userManager.querySessionStatus();if(e){const t={session_state:e.session_state,profile:e.sub?{sub:e.sub}:null};this._start(t)}}catch(t){e.error("error from querySessionStatus",t instanceof Error?t.message:t)}}),1e3)}},this._callback=async()=>{const e=this._logger.create("_callback");try{const t=await this._userManager.querySessionStatus();let s=!0;t&&this._checkSessionIFrame?t.sub===this._sub?(s=!1,this._checkSessionIFrame.start(t.session_state),e.debug("same sub still logged in at OP, session state has changed, restarting check session iframe; session_state",t.session_state),await this._userManager.events._raiseUserSessionChanged()):e.debug("different subject signed into OP",t.sub):e.debug("subject no longer signed into OP"),s?this._sub?await this._userManager.events._raiseUserSignedOut():await this._userManager.events._raiseUserSignedIn():e.debug("no change in session detected, no event to raise")}catch(t){this._sub&&(e.debug("Error calling queryCurrentSigninSession; raising signed out event",t),await this._userManager.events._raiseUserSignedOut())}},e||this._logger.throw(new Error("No user manager passed")),this._userManager.events.addUserLoaded(this._start),this._userManager.events.addUserUnloaded(this._stop),this._init().catch((e=>{this._logger.error(e)}))}async _init(){this._logger.create("_init");const e=await this._userManager.getUser();if(e)this._start(e);else if(this._userManager.settings.monitorAnonymousSession){const e=await this._userManager.querySessionStatus();if(e){const t={session_state:e.session_state,profile:e.sub?{sub:e.sub}:null};this._start(t)}}}},ar=class e{constructor(e){var t;this.id_token=e.id_token,this.session_state=null!=(t=e.session_state)?t:null,this.access_token=e.access_token,this.refresh_token=e.refresh_token,this.token_type=e.token_type,this.scope=e.scope,this.profile=e.profile,this.expires_at=e.expires_at,this.state=e.userState,this.url_state=e.url_state}get expires_in(){if(void 0!==this.expires_at)return this.expires_at-Ci.getEpochTime()}set expires_in(e){void 0!==e&&(this.expires_at=Math.floor(e)+Ci.getEpochTime())}get expired(){const e=this.expires_in;if(void 0!==e)return e<=0}get scopes(){var e,t;return null!=(t=null==(e=this.scope)?void 0:e.split(" "))?t:[]}toStorageString(){return new Ti("User").create("toStorageString"),JSON.stringify({id_token:this.id_token,session_state:this.session_state,access_token:this.access_token,refresh_token:this.refresh_token,token_type:this.token_type,scope:this.scope,profile:this.profile,expires_at:this.expires_at})}static fromStorageString(t){return Ti.createStatic("User","fromStorageString"),new e(JSON.parse(t))}},cr="oidc-client",lr=class{constructor(){this._abort=new Ri("Window navigation aborted"),this._disposeHandlers=new Set,this._window=null}async navigate(e){const t=this._logger.create("navigate");if(!this._window)throw new Error("Attempted to navigate on a disposed window");t.debug("setting URL in window"),this._window.location.replace(e.url);const{url:s,keepOpen:i}=await new Promise(((s,i)=>{const r=r=>{var n;const o=r.data,a=null!=(n=e.scriptOrigin)?n:window.location.origin;if(r.origin===a&&(null==o?void 0:o.source)===cr){try{const s=ji.readParams(o.url,e.response_mode).get("state");if(s||t.warn("no state found in response url"),r.source!==this._window&&s!==e.state)return}catch{this._dispose(),i(new Error("Invalid response from window"))}s(o)}};window.addEventListener("message",r,!1),this._disposeHandlers.add((()=>window.removeEventListener("message",r,!1))),this._disposeHandlers.add(this._abort.addHandler((e=>{this._dispose(),i(e)})))}));return t.debug("got response from window"),this._dispose(),i||this.close(),{url:s}}_dispose(){this._logger.create("_dispose");for(const e of this._disposeHandlers)e();this._disposeHandlers.clear()}static _notifyParent(e,t,s=!1,i=window.location.origin){e.postMessage({source:cr,url:t,keepOpen:s},i)}},dr={location:!1,toolbar:!1,height:640,closePopupWindowAfterInSeconds:-1},ur="_blank",hr=60,gr=2,pr=class extends Wi{constructor(e){const{popup_redirect_uri:t=e.redirect_uri,popup_post_logout_redirect_uri:s=e.post_logout_redirect_uri,popupWindowFeatures:i=dr,popupWindowTarget:r=ur,redirectMethod:n="assign",redirectTarget:o="self",iframeNotifyParentOrigin:a=e.iframeNotifyParentOrigin,iframeScriptOrigin:c=e.iframeScriptOrigin,requestTimeoutInSeconds:l,silent_redirect_uri:d=e.redirect_uri,silentRequestTimeoutInSeconds:u,automaticSilentRenew:h=!0,validateSubOnSilentRenew:g=!0,includeIdTokenInSilentRenew:p=!1,monitorSession:_=!1,monitorAnonymousSession:w=!1,checkSessionIntervalInSeconds:f=gr,query_status_response_type:m="code",stopCheckSessionOnError:v=!0,revokeTokenTypes:y=["access_token","refresh_token"],revokeTokensOnSignout:S=!1,includeIdTokenInSilentSignout:b=!1,accessTokenExpiringNotificationTimeInSeconds:k=hr,userStore:I}=e;if(super(e),this.popup_redirect_uri=t,this.popup_post_logout_redirect_uri=s,this.popupWindowFeatures=i,this.popupWindowTarget=r,this.redirectMethod=n,this.redirectTarget=o,this.iframeNotifyParentOrigin=a,this.iframeScriptOrigin=c,this.silent_redirect_uri=d,this.silentRequestTimeoutInSeconds=u||l||10,this.automaticSilentRenew=h,this.validateSubOnSilentRenew=g,this.includeIdTokenInSilentRenew=p,this.monitorSession=_,this.monitorAnonymousSession=w,this.checkSessionIntervalInSeconds=f,this.stopCheckSessionOnError=v,this.query_status_response_type=m,this.revokeTokenTypes=y,this.revokeTokensOnSignout=S,this.includeIdTokenInSilentSignout=b,this.accessTokenExpiringNotificationTimeInSeconds=k,I)this.userStore=I;else{const e="undefined"!=typeof window?window.sessionStorage:new Di;this.userStore=new Ki({store:e})}}},_r=class e extends lr{constructor({silentRequestTimeoutInSeconds:t=10}){super(),this._logger=new Ti("IFrameWindow"),this._timeoutInSeconds=t,this._frame=e.createHiddenIframe(),this._window=this._frame.contentWindow}static createHiddenIframe(){const e=window.document.createElement("iframe");return e.style.visibility="hidden",e.style.position="fixed",e.style.left="-1000px",e.style.top="0",e.width="0",e.height="0",window.document.body.appendChild(e),e}async navigate(e){this._logger.debug("navigate: Using timeout of:",this._timeoutInSeconds);const t=setTimeout((()=>{this._abort.raise(new Ni("IFrame timed out without a response"))}),1e3*this._timeoutInSeconds);return this._disposeHandlers.add((()=>clearTimeout(t))),await super.navigate(e)}close(){var e;this._frame&&(this._frame.parentNode&&(this._frame.addEventListener("load",(e=>{var t;const s=e.target;null==(t=s.parentNode)||t.removeChild(s),this._abort.raise(new Error("IFrame removed from DOM"))}),!0),null==(e=this._frame.contentWindow)||e.location.replace("about:blank")),this._frame=null),this._window=null}static notifyParent(e,t){return super._notifyParent(window.parent,e,!1,t)}},wr=class{constructor(e){this._settings=e,this._logger=new Ti("IFrameNavigator")}async prepare({silentRequestTimeoutInSeconds:e=this._settings.silentRequestTimeoutInSeconds}){return new _r({silentRequestTimeoutInSeconds:e})}async callback(e){this._logger.create("callback"),_r.notifyParent(e,this._settings.iframeNotifyParentOrigin)}},fr=class extends lr{constructor({popupWindowTarget:e=ur,popupWindowFeatures:t={},popupSignal:s}){super(),this._logger=new Ti("PopupWindow");const i=Ui.center({...dr,...t});this._window=window.open(void 0,e,Ui.serialize(i)),s&&s.addEventListener("abort",(()=>{var e;this._abort.raise(new Error(null!=(e=s.reason)?e:"Popup aborted"))})),t.closePopupWindowAfterInSeconds&&t.closePopupWindowAfterInSeconds>0&&setTimeout((()=>{this._window&&"boolean"==typeof this._window.closed&&!this._window.closed?this.close():this._abort.raise(new Error("Popup blocked by user"))}),1e3*t.closePopupWindowAfterInSeconds)}async navigate(e){var t;null==(t=this._window)||t.focus();const s=setInterval((()=>{this._window&&!this._window.closed||this._abort.raise(new Error("Popup closed by user"))}),500);return this._disposeHandlers.add((()=>clearInterval(s))),await super.navigate(e)}close(){this._window&&(this._window.closed||(this._window.close(),this._abort.raise(new Error("Popup closed")))),this._window=null}static notifyOpener(e,t){if(!window.opener)throw new Error("No window.opener. Can't complete notification.");return super._notifyParent(window.opener,e,t)}},mr=class{constructor(e){this._settings=e,this._logger=new Ti("PopupNavigator")}async prepare({popupWindowFeatures:e=this._settings.popupWindowFeatures,popupWindowTarget:t=this._settings.popupWindowTarget,popupSignal:s}){return new fr({popupWindowFeatures:e,popupWindowTarget:t,popupSignal:s})}async callback(e,{keepOpen:t=!1}){this._logger.create("callback"),fr.notifyOpener(e,t)}},vr=class{constructor(e){this._settings=e,this._logger=new Ti("RedirectNavigator")}async prepare({redirectMethod:e=this._settings.redirectMethod,redirectTarget:t=this._settings.redirectTarget}){var s;this._logger.create("prepare");let i=window.self;"top"===t&&(i=null!=(s=window.top)?s:window.self);const r=i.location[e].bind(i.location);let n;return{navigate:async e=>{this._logger.create("navigate");const t=new Promise(((e,t)=>{n=t}));return r(e.url),await t},close:()=>{this._logger.create("close"),null==n||n(new Error("Redirect aborted")),i.stop()}}}async callback(){}},yr=class extends $i{constructor(e){super({expiringNotificationTimeInSeconds:e.accessTokenExpiringNotificationTimeInSeconds}),this._logger=new Ti("UserManagerEvents"),this._userLoaded=new Ri("User loaded"),this._userUnloaded=new Ri("User unloaded"),this._silentRenewError=new Ri("Silent renew error"),this._userSignedIn=new Ri("User signed in"),this._userSignedOut=new Ri("User signed out"),this._userSessionChanged=new Ri("User session changed")}async load(e,t=!0){await super.load(e),t&&await this._userLoaded.raise(e)}async unload(){await super.unload(),await this._userUnloaded.raise()}addUserLoaded(e){return this._userLoaded.addHandler(e)}removeUserLoaded(e){return this._userLoaded.removeHandler(e)}addUserUnloaded(e){return this._userUnloaded.addHandler(e)}removeUserUnloaded(e){return this._userUnloaded.removeHandler(e)}addSilentRenewError(e){return this._silentRenewError.addHandler(e)}removeSilentRenewError(e){return this._silentRenewError.removeHandler(e)}async _raiseSilentRenewError(e){await this._silentRenewError.raise(e)}addUserSignedIn(e){return this._userSignedIn.addHandler(e)}removeUserSignedIn(e){this._userSignedIn.removeHandler(e)}async _raiseUserSignedIn(){await this._userSignedIn.raise()}addUserSignedOut(e){return this._userSignedOut.addHandler(e)}removeUserSignedOut(e){this._userSignedOut.removeHandler(e)}async _raiseUserSignedOut(){await this._userSignedOut.raise()}addUserSessionChanged(e){return this._userSessionChanged.addHandler(e)}removeUserSessionChanged(e){this._userSessionChanged.removeHandler(e)}async _raiseUserSessionChanged(){await this._userSessionChanged.raise()}},Sr=class{constructor(e){this._userManager=e,this._logger=new Ti("SilentRenewService"),this._isStarted=!1,this._retryTimer=new Ci("Retry Silent Renew"),this._tokenExpiring=async()=>{const e=this._logger.create("_tokenExpiring");try{await this._userManager.signinSilent(),e.debug("silent token renewal successful")}catch(t){if(t instanceof Ni)return e.warn("ErrorTimeout from signinSilent:",t,"retry in 5s"),void this._retryTimer.init(5);e.error("Error from signinSilent:",t),await this._userManager.events._raiseSilentRenewError(t)}}}async start(){const e=this._logger.create("start");if(!this._isStarted){this._isStarted=!0,this._userManager.events.addAccessTokenExpiring(this._tokenExpiring),this._retryTimer.addHandler(this._tokenExpiring);try{await this._userManager.getUser()}catch(t){e.error("getUser error",t)}}}stop(){this._isStarted&&(this._retryTimer.cancel(),this._retryTimer.removeHandler(this._tokenExpiring),this._userManager.events.removeAccessTokenExpiring(this._tokenExpiring),this._isStarted=!1)}},br=class{constructor(e){this.refresh_token=e.refresh_token,this.id_token=e.id_token,this.session_state=e.session_state,this.scope=e.scope,this.profile=e.profile,this.data=e.state}},kr=Object.freeze({__proto__:null,AccessTokenEvents:$i,CheckSessionIFrame:Mi,DPoPState:rr,ErrorResponse:Ai,ErrorTimeout:Ni,InMemoryWebStorage:Di,IndexedDbDPoPStore:class{constructor(){this._dbName="oidc",this._storeName="dpop"}async set(e,t){const s=await this.createStore(this._dbName,this._storeName);await s("readwrite",(s=>(s.put(t,e),this.promisifyRequest(s.transaction))))}async get(e){const t=await this.createStore(this._dbName,this._storeName);return await t("readonly",(t=>this.promisifyRequest(t.get(e))))}async remove(e){const t=await this.get(e),s=await this.createStore(this._dbName,this._storeName);return await s("readwrite",(t=>this.promisifyRequest(t.delete(e)))),t}async getAllKeys(){const e=await this.createStore(this._dbName,this._storeName);return await e("readonly",(e=>this.promisifyRequest(e.getAllKeys())))}promisifyRequest(e){return new Promise(((t,s)=>{e.oncomplete=e.onsuccess=()=>t(e.result),e.onabort=e.onerror=()=>s(e.error)}))}async createStore(e,t){const s=indexedDB.open(e);s.onupgradeneeded=()=>s.result.createObjectStore(t);const i=await this.promisifyRequest(s);return async(e,s)=>{const r=i.transaction(t,e).objectStore(t);return await s(r)}}},get Log(){return Ii},Logger:Ti,MetadataService:Li,OidcClient:nr,OidcClientSettingsStore:Wi,SessionMonitor:or,SigninResponse:Yi,SigninState:Qi,SignoutResponse:er,State:Vi,User:ar,UserManager:class{constructor(e,t,s,i){this._logger=new Ti("UserManager"),this.settings=new pr(e),this._client=new nr(e),this._redirectNavigator=null!=t?t:new vr(this.settings),this._popupNavigator=null!=s?s:new mr(this.settings),this._iframeNavigator=null!=i?i:new wr(this.settings),this._events=new yr(this.settings),this._silentRenewService=new Sr(this),this.settings.automaticSilentRenew&&this.startSilentRenew(),this._sessionMonitor=null,this.settings.monitorSession&&(this._sessionMonitor=new or(this))}get events(){return this._events}get metadataService(){return this._client.metadataService}async getUser(e=!1){const t=this._logger.create("getUser"),s=await this._loadUser();return s?(t.info("user loaded"),await this._events.load(s,e),s):(t.info("user not found in storage"),null)}async removeUser(){const e=this._logger.create("removeUser");await this.storeUser(null),e.info("user removed from storage"),await this._events.unload()}async signinRedirect(e={}){var t;this._logger.create("signinRedirect");const{redirectMethod:s,...i}=e;let r;(null==(t=this.settings.dpop)?void 0:t.bind_authorization_code)&&(r=await this.generateDPoPJkt(this.settings.dpop));const n=await this._redirectNavigator.prepare({redirectMethod:s});await this._signinStart({request_type:"si:r",dpopJkt:r,...i},n)}async signinRedirectCallback(e=window.location.href){const t=this._logger.create("signinRedirectCallback"),s=await this._signinEnd(e);return s.profile&&s.profile.sub?t.info("success, signed in subject",s.profile.sub):t.info("no subject"),s}async signinResourceOwnerCredentials({username:e,password:t,skipUserInfo:s=!1}){const i=this._logger.create("signinResourceOwnerCredential"),r=await this._client.processResourceOwnerPasswordCredentials({username:e,password:t,skipUserInfo:s,extraTokenParams:this.settings.extraTokenParams});i.debug("got signin response");const n=await this._buildUser(r);return n.profile&&n.profile.sub?i.info("success, signed in subject",n.profile.sub):i.info("no subject"),n}async signinPopup(e={}){var t;const s=this._logger.create("signinPopup");let i;(null==(t=this.settings.dpop)?void 0:t.bind_authorization_code)&&(i=await this.generateDPoPJkt(this.settings.dpop));const{popupWindowFeatures:r,popupWindowTarget:n,popupSignal:o,...a}=e,c=this.settings.popup_redirect_uri;c||s.throw(new Error("No popup_redirect_uri configured"));const l=await this._popupNavigator.prepare({popupWindowFeatures:r,popupWindowTarget:n,popupSignal:o}),d=await this._signin({request_type:"si:p",redirect_uri:c,display:"popup",dpopJkt:i,...a},l);return d&&(d.profile&&d.profile.sub?s.info("success, signed in subject",d.profile.sub):s.info("no subject")),d}async signinPopupCallback(e=window.location.href,t=!1){const s=this._logger.create("signinPopupCallback");await this._popupNavigator.callback(e,{keepOpen:t}),s.info("success")}async signinSilent(e={}){var t,s;const i=this._logger.create("signinSilent"),{silentRequestTimeoutInSeconds:r,...n}=e;let o,a=await this._loadUser();if(null==a?void 0:a.refresh_token){i.debug("using refresh token");const e=new br(a);return await this._useRefreshToken({state:e,redirect_uri:n.redirect_uri,resource:n.resource,extraTokenParams:n.extraTokenParams,timeoutInSeconds:r})}(null==(t=this.settings.dpop)?void 0:t.bind_authorization_code)&&(o=await this.generateDPoPJkt(this.settings.dpop));const c=this.settings.silent_redirect_uri;let l;c||i.throw(new Error("No silent_redirect_uri configured")),a&&this.settings.validateSubOnSilentRenew&&(i.debug("subject prior to silent renew:",a.profile.sub),l=a.profile.sub);const d=await this._iframeNavigator.prepare({silentRequestTimeoutInSeconds:r});return a=await this._signin({request_type:"si:s",redirect_uri:c,prompt:"none",id_token_hint:this.settings.includeIdTokenInSilentRenew?null==a?void 0:a.id_token:void 0,dpopJkt:o,...n},d,l),a&&((null==(s=a.profile)?void 0:s.sub)?i.info("success, signed in subject",a.profile.sub):i.info("no subject")),a}async _useRefreshToken(e){const t=await this._client.useRefreshToken({timeoutInSeconds:this.settings.silentRequestTimeoutInSeconds,...e}),s=new ar({...e.state,...t});return await this.storeUser(s),await this._events.load(s),s}async signinSilentCallback(e=window.location.href){const t=this._logger.create("signinSilentCallback");await this._iframeNavigator.callback(e),t.info("success")}async signinCallback(e=window.location.href){const{state:t}=await this._client.readSigninResponseState(e);switch(t.request_type){case"si:r":return await this.signinRedirectCallback(e);case"si:p":await this.signinPopupCallback(e);break;case"si:s":await this.signinSilentCallback(e);break;default:throw new Error("invalid response_type in state")}}async signoutCallback(e=window.location.href,t=!1){const{state:s}=await this._client.readSignoutResponseState(e);if(s)switch(s.request_type){case"so:r":return await this.signoutRedirectCallback(e);case"so:p":await this.signoutPopupCallback(e,t);break;case"so:s":await this.signoutSilentCallback(e);break;default:throw new Error("invalid response_type in state")}}async querySessionStatus(e={}){const t=this._logger.create("querySessionStatus"),{silentRequestTimeoutInSeconds:s,...i}=e,r=this.settings.silent_redirect_uri;r||t.throw(new Error("No silent_redirect_uri configured"));const n=await this._loadUser(),o=await this._iframeNavigator.prepare({silentRequestTimeoutInSeconds:s}),a=await this._signinStart({request_type:"si:s",redirect_uri:r,prompt:"none",id_token_hint:this.settings.includeIdTokenInSilentRenew?null==n?void 0:n.id_token:void 0,response_type:this.settings.query_status_response_type,scope:"openid",skipUserInfo:!0,...i},o);try{const e={},s=await this._client.processSigninResponse(a.url,e);return t.debug("got signin response"),s.session_state&&s.profile.sub?(t.info("success for subject",s.profile.sub),{session_state:s.session_state,sub:s.profile.sub}):(t.info("success, user not authenticated"),null)}catch(e){if(this.settings.monitorAnonymousSession&&e instanceof Ai)switch(e.error){case"login_required":case"consent_required":case"interaction_required":case"account_selection_required":return t.info("success for anonymous user"),{session_state:e.session_state}}throw e}}async _signin(e,t,s){const i=await this._signinStart(e,t);return await this._signinEnd(i.url,s)}async _signinStart(e,t){const s=this._logger.create("_signinStart");try{const i=await this._client.createSigninRequest(e);return s.debug("got signin request"),await t.navigate({url:i.url,state:i.state.id,response_mode:i.state.response_mode,scriptOrigin:this.settings.iframeScriptOrigin})}catch(e){throw s.debug("error after preparing navigator, closing navigator window"),t.close(),e}}async _signinEnd(e,t){const s=this._logger.create("_signinEnd"),i=await this._client.processSigninResponse(e,{});s.debug("got signin response");return await this._buildUser(i,t)}async _buildUser(e,t){const s=this._logger.create("_buildUser"),i=new ar(e);if(t){if(t!==i.profile.sub)throw s.debug("current user does not match user returned from signin. sub from signin:",i.profile.sub),new Ai({...e,error:"login_required"});s.debug("current user matches user returned from signin")}return await this.storeUser(i),s.debug("user stored"),await this._events.load(i),i}async signoutRedirect(e={}){const t=this._logger.create("signoutRedirect"),{redirectMethod:s,...i}=e,r=await this._redirectNavigator.prepare({redirectMethod:s});await this._signoutStart({request_type:"so:r",post_logout_redirect_uri:this.settings.post_logout_redirect_uri,...i},r),t.info("success")}async signoutRedirectCallback(e=window.location.href){const t=this._logger.create("signoutRedirectCallback"),s=await this._signoutEnd(e);return t.info("success"),s}async signoutPopup(e={}){const t=this._logger.create("signoutPopup"),{popupWindowFeatures:s,popupWindowTarget:i,popupSignal:r,...n}=e,o=this.settings.popup_post_logout_redirect_uri,a=await this._popupNavigator.prepare({popupWindowFeatures:s,popupWindowTarget:i,popupSignal:r});await this._signout({request_type:"so:p",post_logout_redirect_uri:o,state:null==o?void 0:{},...n},a),t.info("success")}async signoutPopupCallback(e=window.location.href,t=!1){const s=this._logger.create("signoutPopupCallback");await this._popupNavigator.callback(e,{keepOpen:t}),s.info("success")}async _signout(e,t){const s=await this._signoutStart(e,t);return await this._signoutEnd(s.url)}async _signoutStart(e={},t){var s;const i=this._logger.create("_signoutStart");try{const r=await this._loadUser();i.debug("loaded current user from storage"),this.settings.revokeTokensOnSignout&&await this._revokeInternal(r);const n=e.id_token_hint||r&&r.id_token;n&&(i.debug("setting id_token_hint in signout request"),e.id_token_hint=n),await this.removeUser(),i.debug("user removed, creating signout request");const o=await this._client.createSignoutRequest(e);return i.debug("got signout request"),await t.navigate({url:o.url,state:null==(s=o.state)?void 0:s.id,scriptOrigin:this.settings.iframeScriptOrigin})}catch(e){throw i.debug("error after preparing navigator, closing navigator window"),t.close(),e}}async _signoutEnd(e){const t=this._logger.create("_signoutEnd"),s=await this._client.processSignoutResponse(e);return t.debug("got signout response"),s}async signoutSilent(e={}){var t;const s=this._logger.create("signoutSilent"),{silentRequestTimeoutInSeconds:i,...r}=e,n=this.settings.includeIdTokenInSilentSignout?null==(t=await this._loadUser())?void 0:t.id_token:void 0,o=this.settings.popup_post_logout_redirect_uri,a=await this._iframeNavigator.prepare({silentRequestTimeoutInSeconds:i});await this._signout({request_type:"so:s",post_logout_redirect_uri:o,id_token_hint:n,...r},a),s.info("success")}async signoutSilentCallback(e=window.location.href){const t=this._logger.create("signoutSilentCallback");await this._iframeNavigator.callback(e),t.info("success")}async revokeTokens(e){const t=await this._loadUser();await this._revokeInternal(t,e)}async _revokeInternal(e,t=this.settings.revokeTokenTypes){const s=this._logger.create("_revokeInternal");if(!e)return;const i=t.filter((t=>"string"==typeof e[t]));if(i.length){for(const t of i)await this._client.revokeToken(e[t],t),s.info(`${t} revoked successfully`),"access_token"!==t&&(e[t]=null);await this.storeUser(e),s.debug("user stored"),await this._events.load(e)}else s.debug("no need to revoke due to no token(s)")}startSilentRenew(){this._logger.create("startSilentRenew"),this._silentRenewService.start()}stopSilentRenew(){this._silentRenewService.stop()}get _userStoreKey(){return`user:${this.settings.authority}:${this.settings.client_id}`}async _loadUser(){const e=this._logger.create("_loadUser"),t=await this.settings.userStore.get(this._userStoreKey);return t?(e.debug("user storageString loaded"),ar.fromStorageString(t)):(e.debug("no user storageString"),null)}async storeUser(e){const t=this._logger.create("storeUser");if(e){t.debug("storing user");const s=e.toStorageString();await this.settings.userStore.set(this._userStoreKey,s)}else this._logger.debug("removing user"),await this.settings.userStore.remove(this._userStoreKey),this.settings.dpop&&await this.settings.dpop.store.remove(this.settings.client_id)}async clearStaleState(){await this._client.clearStaleState()}async dpopProof(e,t,s,i){var r,n;const o=await(null==(n=null==(r=this.settings.dpop)?void 0:r.store)?void 0:n.get(this.settings.client_id));if(o)return await Pi.generateDPoPProof({url:e,accessToken:null==t?void 0:t.access_token,httpMethod:s,keyPair:o.keys,nonce:i})}async generateDPoPJkt(e){let t=await e.store.get(this.settings.client_id);if(!t){const s=await Pi.generateDPoPKeys();t=new rr(s),await e.store.set(this.settings.client_id,t)}return await Pi.generateDPoPJkt(t.keys)}},UserManagerSettingsStore:pr,Version:"3.2.0",WebStorageStateStore:Ki});return vi}));
4
+ //# sourceMappingURL=index.umd.js.map