@eventuras/fides-auth 0.3.0

package/dist/deflate-koSuX7FB.js

@@ -0,0 +1,1015 @@
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/buffer_utils.js
+var e = new TextEncoder(), t = new TextDecoder(), n = 2 ** 32;
+function r(...e) {
+	let t = e.reduce((e, { length: t }) => e + t, 0), n = new Uint8Array(t), r = 0;
+	for (let t of e) n.set(t, r), r += t.length;
+	return n;
+}
+function i(e, t, r) {
+	if (t < 0 || t >= n) throw RangeError(`value must be >= 0 and <= ${n - 1}. Received ${t}`);
+	e.set([
+		t >>> 24,
+		t >>> 16,
+		t >>> 8,
+		t & 255
+	], r);
+}
+function a(e) {
+	let t = Math.floor(e / n), r = e % n, a = new Uint8Array(8);
+	return i(a, t, 0), i(a, r, 4), a;
+}
+function o(e) {
+	let t = new Uint8Array(4);
+	return i(t, e), t;
+}
+function s(e) {
+	let t = new Uint8Array(e.length);
+	for (let n = 0; n < e.length; n++) {
+		let r = e.charCodeAt(n);
+		if (r > 127) throw TypeError("non-ASCII string encountered in encode()");
+		t[n] = r;
+	}
+	return t;
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/base64.js
+function c(e) {
+	if (Uint8Array.prototype.toBase64) return e.toBase64();
+	let t = 32768, n = [];
+	for (let r = 0; r < e.length; r += t) n.push(String.fromCharCode.apply(null, e.subarray(r, r + t)));
+	return btoa(n.join(""));
+}
+function l(e) {
+	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(e);
+	let t = atob(e), n = new Uint8Array(t.length);
+	for (let e = 0; e < t.length; e++) n[e] = t.charCodeAt(e);
+	return n;
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/util/base64url.js
+function u(e) {
+	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(typeof e == "string" ? e : t.decode(e), { alphabet: "base64url" });
+	let n = e;
+	n instanceof Uint8Array && (n = t.decode(n)), n = n.replace(/-/g, "+").replace(/_/g, "/");
+	try {
+		return l(n);
+	} catch {
+		throw TypeError("The input to be decoded is not correctly encoded.");
+	}
+}
+function d(t) {
+	let n = t;
+	return typeof n == "string" && (n = e.encode(n)), Uint8Array.prototype.toBase64 ? n.toBase64({
+		alphabet: "base64url",
+		omitPadding: !0
+	}) : c(n).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/crypto_key.js
+var f = (e, t = "algorithm.name") => /* @__PURE__ */ TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`), p = (e, t) => e.name === t;
+function ee(e) {
+	return parseInt(e.name.slice(4), 10);
+}
+function m(e, t) {
+	if (ee(e.hash) !== t) throw f(`SHA-${t}`, "algorithm.hash");
+}
+function h(e, t) {
+	if (t && !e.usages.includes(t)) throw TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`);
+}
+function g(e, t, n) {
+	switch (t) {
+		case "A128GCM":
+		case "A192GCM":
+		case "A256GCM": {
+			if (!p(e.algorithm, "AES-GCM")) throw f("AES-GCM");
+			let n = parseInt(t.slice(1, 4), 10);
+			if (e.algorithm.length !== n) throw f(n, "algorithm.length");
+			break;
+		}
+		case "A128KW":
+		case "A192KW":
+		case "A256KW": {
+			if (!p(e.algorithm, "AES-KW")) throw f("AES-KW");
+			let n = parseInt(t.slice(1, 4), 10);
+			if (e.algorithm.length !== n) throw f(n, "algorithm.length");
+			break;
+		}
+		case "ECDH":
+			switch (e.algorithm.name) {
+				case "ECDH":
+				case "X25519": break;
+				default: throw f("ECDH or X25519");
+			}
+			break;
+		case "PBES2-HS256+A128KW":
+		case "PBES2-HS384+A192KW":
+		case "PBES2-HS512+A256KW":
+			if (!p(e.algorithm, "PBKDF2")) throw f("PBKDF2");
+			break;
+		case "RSA-OAEP":
+		case "RSA-OAEP-256":
+		case "RSA-OAEP-384":
+		case "RSA-OAEP-512":
+			if (!p(e.algorithm, "RSA-OAEP")) throw f("RSA-OAEP");
+			m(e.algorithm, parseInt(t.slice(9), 10) || 1);
+			break;
+		default: throw TypeError("CryptoKey does not support this operation");
+	}
+	h(e, n);
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function _(e, t, ...n) {
+	if (n = n.filter(Boolean), n.length > 2) {
+		let t = n.pop();
+		e += `one of type ${n.join(", ")}, or ${t}.`;
+	} else n.length === 2 ? e += `one of type ${n[0]} or ${n[1]}.` : e += `of type ${n[0]}.`;
+	return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e;
+}
+var v = (e, ...t) => _("Key must be ", e, ...t), te = (e, t, ...n) => _(`Key for the ${e} algorithm must be `, t, ...n), y = class extends Error {
+	static code = "ERR_JOSE_GENERIC";
+	code = "ERR_JOSE_GENERIC";
+	constructor(e, t) {
+		super(e, t), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
+	}
+}, ne = class extends y {
+	static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+	code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+	claim;
+	reason;
+	payload;
+	constructor(e, t, n = "unspecified", r = "unspecified") {
+		super(e, { cause: {
+			claim: n,
+			reason: r,
+			payload: t
+		} }), this.claim = n, this.reason = r, this.payload = t;
+	}
+}, re = class extends y {
+	static code = "ERR_JWT_EXPIRED";
+	code = "ERR_JWT_EXPIRED";
+	claim;
+	reason;
+	payload;
+	constructor(e, t, n = "unspecified", r = "unspecified") {
+		super(e, { cause: {
+			claim: n,
+			reason: r,
+			payload: t
+		} }), this.claim = n, this.reason = r, this.payload = t;
+	}
+}, ie = class extends y {
+	static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+	code = "ERR_JOSE_ALG_NOT_ALLOWED";
+}, b = class extends y {
+	static code = "ERR_JOSE_NOT_SUPPORTED";
+	code = "ERR_JOSE_NOT_SUPPORTED";
+}, x = class extends y {
+	static code = "ERR_JWE_DECRYPTION_FAILED";
+	code = "ERR_JWE_DECRYPTION_FAILED";
+	constructor(e = "decryption operation failed", t) {
+		super(e, t);
+	}
+}, S = class extends y {
+	static code = "ERR_JWE_INVALID";
+	code = "ERR_JWE_INVALID";
+}, ae = class extends y {
+	static code = "ERR_JWT_INVALID";
+	code = "ERR_JWT_INVALID";
+};
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/is_key_like.js
+function C(e) {
+	if (!w(e)) throw Error("CryptoKey instance expected");
+}
+var w = (e) => {
+	if (e?.[Symbol.toStringTag] === "CryptoKey") return !0;
+	try {
+		return e instanceof CryptoKey;
+	} catch {
+		return !1;
+	}
+}, T = (e) => e?.[Symbol.toStringTag] === "KeyObject", oe = (e) => w(e) || T(e);
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/content_encryption.js
+function E(e) {
+	switch (e) {
+		case "A128GCM": return 128;
+		case "A192GCM": return 192;
+		case "A256GCM":
+		case "A128CBC-HS256": return 256;
+		case "A192CBC-HS384": return 384;
+		case "A256CBC-HS512": return 512;
+		default: throw new b(`Unsupported JWE Algorithm: ${e}`);
+	}
+}
+var D = (e) => crypto.getRandomValues(new Uint8Array(E(e) >> 3));
+function O(e, t) {
+	let n = e.byteLength << 3;
+	if (n !== t) throw new S(`Invalid Content Encryption Key length. Expected ${t} bits, got ${n} bits`);
+}
+function se(e) {
+	switch (e) {
+		case "A128GCM":
+		case "A128GCMKW":
+		case "A192GCM":
+		case "A192GCMKW":
+		case "A256GCM":
+		case "A256GCMKW": return 96;
+		case "A128CBC-HS256":
+		case "A192CBC-HS384":
+		case "A256CBC-HS512": return 128;
+		default: throw new b(`Unsupported JWE Algorithm: ${e}`);
+	}
+}
+var ce = (e) => crypto.getRandomValues(new Uint8Array(se(e) >> 3));
+function k(e, t) {
+	if (t.length << 3 !== se(e)) throw new S("Invalid Initialization Vector length");
+}
+async function A(e, t, n) {
+	if (!(t instanceof Uint8Array)) throw TypeError(v(t, "Uint8Array"));
+	let r = parseInt(e.slice(1, 4), 10);
+	return {
+		encKey: await crypto.subtle.importKey("raw", t.subarray(r >> 3), "AES-CBC", !1, [n]),
+		macKey: await crypto.subtle.importKey("raw", t.subarray(0, r >> 3), {
+			hash: `SHA-${r << 1}`,
+			name: "HMAC"
+		}, !1, ["sign"]),
+		keySize: r
+	};
+}
+async function j(e, t, n) {
+	return new Uint8Array((await crypto.subtle.sign("HMAC", e, t)).slice(0, n >> 3));
+}
+async function le(e, t, n, i, o) {
+	let { encKey: s, macKey: c, keySize: l } = await A(e, n, "encrypt"), u = new Uint8Array(await crypto.subtle.encrypt({
+		iv: i,
+		name: "AES-CBC"
+	}, s, t));
+	return {
+		ciphertext: u,
+		tag: await j(c, r(o, i, u, a(o.length << 3)), l),
+		iv: i
+	};
+}
+async function ue(e, t) {
+	if (!(e instanceof Uint8Array)) throw TypeError("First argument must be a buffer");
+	if (!(t instanceof Uint8Array)) throw TypeError("Second argument must be a buffer");
+	let n = {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, r = await crypto.subtle.generateKey(n, !1, ["sign"]), i = new Uint8Array(await crypto.subtle.sign(n, r, e)), a = new Uint8Array(await crypto.subtle.sign(n, r, t)), o = 0, s = -1;
+	for (; ++s < 32;) o |= i[s] ^ a[s];
+	return o === 0;
+}
+async function de(e, t, n, i, o, s) {
+	let { encKey: c, macKey: l, keySize: u } = await A(e, t, "decrypt"), d = await j(l, r(s, i, n, a(s.length << 3)), u), f;
+	try {
+		f = await ue(o, d);
+	} catch {}
+	if (!f) throw new x();
+	let p;
+	try {
+		p = new Uint8Array(await crypto.subtle.decrypt({
+			iv: i,
+			name: "AES-CBC"
+		}, c, n));
+	} catch {}
+	if (!p) throw new x();
+	return p;
+}
+async function fe(e, t, n, r, i) {
+	let a;
+	n instanceof Uint8Array ? a = await crypto.subtle.importKey("raw", n, "AES-GCM", !1, ["encrypt"]) : (g(n, e, "encrypt"), a = n);
+	let o = new Uint8Array(await crypto.subtle.encrypt({
+		additionalData: i,
+		iv: r,
+		name: "AES-GCM",
+		tagLength: 128
+	}, a, t)), s = o.slice(-16);
+	return {
+		ciphertext: o.slice(0, -16),
+		tag: s,
+		iv: r
+	};
+}
+async function pe(e, t, n, i, a, o) {
+	let s;
+	t instanceof Uint8Array ? s = await crypto.subtle.importKey("raw", t, "AES-GCM", !1, ["decrypt"]) : (g(t, e, "decrypt"), s = t);
+	try {
+		return new Uint8Array(await crypto.subtle.decrypt({
+			additionalData: o,
+			iv: i,
+			name: "AES-GCM",
+			tagLength: 128
+		}, s, r(n, a)));
+	} catch {
+		throw new x();
+	}
+}
+var M = "Unsupported JWE Content Encryption Algorithm";
+async function N(e, t, n, r, i) {
+	if (!w(n) && !(n instanceof Uint8Array)) throw TypeError(v(n, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
+	switch (r ? k(e, r) : r = ce(e), e) {
+		case "A128CBC-HS256":
+		case "A192CBC-HS384":
+		case "A256CBC-HS512": return n instanceof Uint8Array && O(n, parseInt(e.slice(-3), 10)), le(e, t, n, r, i);
+		case "A128GCM":
+		case "A192GCM":
+		case "A256GCM": return n instanceof Uint8Array && O(n, parseInt(e.slice(1, 4), 10)), fe(e, t, n, r, i);
+		default: throw new b(M);
+	}
+}
+async function P(e, t, n, r, i, a) {
+	if (!w(t) && !(t instanceof Uint8Array)) throw TypeError(v(t, "CryptoKey", "KeyObject", "Uint8Array", "JSON Web Key"));
+	if (!r) throw new S("JWE Initialization Vector missing");
+	if (!i) throw new S("JWE Authentication Tag missing");
+	switch (k(e, r), e) {
+		case "A128CBC-HS256":
+		case "A192CBC-HS384":
+		case "A256CBC-HS512": return t instanceof Uint8Array && O(t, parseInt(e.slice(-3), 10)), de(e, t, n, r, i, a);
+		case "A128GCM":
+		case "A192GCM":
+		case "A256GCM": return t instanceof Uint8Array && O(t, parseInt(e.slice(1, 4), 10)), pe(e, t, n, r, i, a);
+		default: throw new b(M);
+	}
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/helpers.js
+var me = Symbol();
+function he(e, t) {
+	if (e) throw TypeError(`${t} can only be called once`);
+}
+function F(e, t, n) {
+	try {
+		return u(e);
+	} catch {
+		throw new n(`Failed to base64url decode the ${t}`);
+	}
+}
+async function ge(e, t) {
+	let n = `SHA-${e.slice(-3)}`;
+	return new Uint8Array(await crypto.subtle.digest(n, t));
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/type_checks.js
+var _e = (e) => typeof e == "object" && !!e;
+function I(e) {
+	if (!_e(e) || Object.prototype.toString.call(e) !== "[object Object]") return !1;
+	if (Object.getPrototypeOf(e) === null) return !0;
+	let t = e;
+	for (; Object.getPrototypeOf(t) !== null;) t = Object.getPrototypeOf(t);
+	return Object.getPrototypeOf(e) === t;
+}
+function ve(...e) {
+	let t = e.filter(Boolean);
+	if (t.length === 0 || t.length === 1) return !0;
+	let n;
+	for (let e of t) {
+		let t = Object.keys(e);
+		if (!n || n.size === 0) {
+			n = new Set(t);
+			continue;
+		}
+		for (let e of t) {
+			if (n.has(e)) return !1;
+			n.add(e);
+		}
+	}
+	return !0;
+}
+var L = (e) => I(e) && typeof e.kty == "string", ye = (e) => e.kty !== "oct" && (e.kty === "AKP" && typeof e.priv == "string" || typeof e.d == "string"), be = (e) => e.kty !== "oct" && e.d === void 0 && e.priv === void 0, xe = (e) => e.kty === "oct" && typeof e.k == "string";
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/aeskw.js
+function R(e, t) {
+	if (e.algorithm.length !== parseInt(t.slice(1, 4), 10)) throw TypeError(`Invalid key size for alg: ${t}`);
+}
+function z(e, t, n) {
+	return e instanceof Uint8Array ? crypto.subtle.importKey("raw", e, "AES-KW", !0, [n]) : (g(e, t, n), e);
+}
+async function B(e, t, n) {
+	let r = await z(t, e, "wrapKey");
+	R(r, e);
+	let i = await crypto.subtle.importKey("raw", n, {
+		hash: "SHA-256",
+		name: "HMAC"
+	}, !0, ["sign"]);
+	return new Uint8Array(await crypto.subtle.wrapKey("raw", i, r, "AES-KW"));
+}
+async function V(e, t, n) {
+	let r = await z(t, e, "unwrapKey");
+	R(r, e);
+	let i = await crypto.subtle.unwrapKey("raw", n, r, "AES-KW", {
+		hash: "SHA-256",
+		name: "HMAC"
+	}, !0, ["sign"]);
+	return new Uint8Array(await crypto.subtle.exportKey("raw", i));
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/ecdhes.js
+function H(e) {
+	return r(o(e.length), e);
+}
+async function Se(e, t, n) {
+	let r = t >> 3, i = Math.ceil(r / 32), a = new Uint8Array(i * 32);
+	for (let t = 1; t <= i; t++) {
+		let r = new Uint8Array(4 + e.length + n.length);
+		r.set(o(t), 0), r.set(e, 4), r.set(n, 4 + e.length);
+		let i = await ge("sha256", r);
+		a.set(i, (t - 1) * 32);
+	}
+	return a.slice(0, r);
+}
+async function U(e, t, n, i, a = new Uint8Array(), c = new Uint8Array()) {
+	g(e, "ECDH"), g(t, "ECDH", "deriveBits");
+	let l = r(H(s(n)), H(a), H(c), o(i), new Uint8Array());
+	return Se(new Uint8Array(await crypto.subtle.deriveBits({
+		name: e.algorithm.name,
+		public: e
+	}, t, Ce(e))), i, l);
+}
+function Ce(e) {
+	return e.algorithm.name === "X25519" ? 256 : Math.ceil(parseInt(e.algorithm.namedCurve.slice(-3), 10) / 8) << 3;
+}
+function W(e) {
+	switch (e.algorithm.namedCurve) {
+		case "P-256":
+		case "P-384":
+		case "P-521": return !0;
+		default: return e.algorithm.name === "X25519";
+	}
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/pbes2kw.js
+function we(e, t) {
+	return e instanceof Uint8Array ? crypto.subtle.importKey("raw", e, "PBKDF2", !1, ["deriveBits"]) : (g(e, t, "deriveBits"), e);
+}
+var Te = (e, t) => r(s(e), Uint8Array.of(0), t);
+async function G(e, t, n, r) {
+	if (!(e instanceof Uint8Array) || e.length < 8) throw new S("PBES2 Salt Input must be 8 or more octets");
+	let i = Te(t, e), a = parseInt(t.slice(13, 16), 10), o = {
+		hash: `SHA-${t.slice(8, 11)}`,
+		iterations: n,
+		name: "PBKDF2",
+		salt: i
+	}, s = await we(r, t);
+	return new Uint8Array(await crypto.subtle.deriveBits(o, s, a));
+}
+async function Ee(e, t, n, r = 2048, i = crypto.getRandomValues(new Uint8Array(16))) {
+	let a = await G(i, e, r, t);
+	return {
+		encryptedKey: await B(e.slice(-6), a, n),
+		p2c: r,
+		p2s: d(i)
+	};
+}
+async function De(e, t, n, r, i) {
+	let a = await G(i, e, r, t);
+	return V(e.slice(-6), a, n);
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/signing.js
+function K(e, t) {
+	if (e.startsWith("RS") || e.startsWith("PS")) {
+		let { modulusLength: n } = t.algorithm;
+		if (typeof n != "number" || n < 2048) throw TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
+	}
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/rsaes.js
+var Oe = (e) => {
+	switch (e) {
+		case "RSA-OAEP":
+		case "RSA-OAEP-256":
+		case "RSA-OAEP-384":
+		case "RSA-OAEP-512": return "RSA-OAEP";
+		default: throw new b(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+	}
+};
+async function ke(e, t, n) {
+	return g(t, e, "encrypt"), K(e, t), new Uint8Array(await crypto.subtle.encrypt(Oe(e), t, n));
+}
+async function Ae(e, t, n) {
+	return g(t, e, "decrypt"), K(e, t), new Uint8Array(await crypto.subtle.decrypt(Oe(e), t, n));
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/jwk_to_key.js
+var q = "Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value";
+function je(e) {
+	let t, n;
+	switch (e.kty) {
+		case "AKP":
+			switch (e.alg) {
+				case "ML-DSA-44":
+				case "ML-DSA-65":
+				case "ML-DSA-87":
+					t = { name: e.alg }, n = e.priv ? ["sign"] : ["verify"];
+					break;
+				default: throw new b(q);
+			}
+			break;
+		case "RSA":
+			switch (e.alg) {
+				case "PS256":
+				case "PS384":
+				case "PS512":
+					t = {
+						name: "RSA-PSS",
+						hash: `SHA-${e.alg.slice(-3)}`
+					}, n = e.d ? ["sign"] : ["verify"];
+					break;
+				case "RS256":
+				case "RS384":
+				case "RS512":
+					t = {
+						name: "RSASSA-PKCS1-v1_5",
+						hash: `SHA-${e.alg.slice(-3)}`
+					}, n = e.d ? ["sign"] : ["verify"];
+					break;
+				case "RSA-OAEP":
+				case "RSA-OAEP-256":
+				case "RSA-OAEP-384":
+				case "RSA-OAEP-512":
+					t = {
+						name: "RSA-OAEP",
+						hash: `SHA-${parseInt(e.alg.slice(-3), 10) || 1}`
+					}, n = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+					break;
+				default: throw new b(q);
+			}
+			break;
+		case "EC":
+			switch (e.alg) {
+				case "ES256":
+				case "ES384":
+				case "ES512":
+					t = {
+						name: "ECDSA",
+						namedCurve: {
+							ES256: "P-256",
+							ES384: "P-384",
+							ES512: "P-521"
+						}[e.alg]
+					}, n = e.d ? ["sign"] : ["verify"];
+					break;
+				case "ECDH-ES":
+				case "ECDH-ES+A128KW":
+				case "ECDH-ES+A192KW":
+				case "ECDH-ES+A256KW":
+					t = {
+						name: "ECDH",
+						namedCurve: e.crv
+					}, n = e.d ? ["deriveBits"] : [];
+					break;
+				default: throw new b(q);
+			}
+			break;
+		case "OKP":
+			switch (e.alg) {
+				case "Ed25519":
+				case "EdDSA":
+					t = { name: "Ed25519" }, n = e.d ? ["sign"] : ["verify"];
+					break;
+				case "ECDH-ES":
+				case "ECDH-ES+A128KW":
+				case "ECDH-ES+A192KW":
+				case "ECDH-ES+A256KW":
+					t = { name: e.crv }, n = e.d ? ["deriveBits"] : [];
+					break;
+				default: throw new b(q);
+			}
+			break;
+		default: throw new b("Invalid or unsupported JWK \"kty\" (Key Type) Parameter value");
+	}
+	return {
+		algorithm: t,
+		keyUsages: n
+	};
+}
+async function J(e) {
+	if (!e.alg) throw TypeError("\"alg\" argument is required when \"jwk.alg\" is not present");
+	let { algorithm: t, keyUsages: n } = je(e), r = { ...e };
+	return r.kty !== "AKP" && delete r.alg, delete r.use, crypto.subtle.importKey("jwk", r, t, e.ext ?? !(e.d || e.priv), e.key_ops ?? n);
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/normalize_key.js
+var Y = "given KeyObject instance cannot be used for this algorithm", X, Me = async (e, t, n, r = !1) => {
+	X ||= /* @__PURE__ */ new WeakMap();
+	let i = X.get(e);
+	if (i?.[n]) return i[n];
+	let a = await J({
+		...t,
+		alg: n
+	});
+	return r && Object.freeze(e), i ? i[n] = a : X.set(e, { [n]: a }), a;
+}, Ne = (e, t) => {
+	X ||= /* @__PURE__ */ new WeakMap();
+	let n = X.get(e);
+	if (n?.[t]) return n[t];
+	let r = e.type === "public", i = !!r, a;
+	if (e.asymmetricKeyType === "x25519") {
+		switch (t) {
+			case "ECDH-ES":
+			case "ECDH-ES+A128KW":
+			case "ECDH-ES+A192KW":
+			case "ECDH-ES+A256KW": break;
+			default: throw TypeError(Y);
+		}
+		a = e.toCryptoKey(e.asymmetricKeyType, i, r ? [] : ["deriveBits"]);
+	}
+	if (e.asymmetricKeyType === "ed25519") {
+		if (t !== "EdDSA" && t !== "Ed25519") throw TypeError(Y);
+		a = e.toCryptoKey(e.asymmetricKeyType, i, [r ? "verify" : "sign"]);
+	}
+	switch (e.asymmetricKeyType) {
+		case "ml-dsa-44":
+		case "ml-dsa-65":
+		case "ml-dsa-87":
+			if (t !== e.asymmetricKeyType.toUpperCase()) throw TypeError(Y);
+			a = e.toCryptoKey(e.asymmetricKeyType, i, [r ? "verify" : "sign"]);
+	}
+	if (e.asymmetricKeyType === "rsa") {
+		let n;
+		switch (t) {
+			case "RSA-OAEP":
+				n = "SHA-1";
+				break;
+			case "RS256":
+			case "PS256":
+			case "RSA-OAEP-256":
+				n = "SHA-256";
+				break;
+			case "RS384":
+			case "PS384":
+			case "RSA-OAEP-384":
+				n = "SHA-384";
+				break;
+			case "RS512":
+			case "PS512":
+			case "RSA-OAEP-512":
+				n = "SHA-512";
+				break;
+			default: throw TypeError(Y);
+		}
+		if (t.startsWith("RSA-OAEP")) return e.toCryptoKey({
+			name: "RSA-OAEP",
+			hash: n
+		}, i, r ? ["encrypt"] : ["decrypt"]);
+		a = e.toCryptoKey({
+			name: t.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+			hash: n
+		}, i, [r ? "verify" : "sign"]);
+	}
+	if (e.asymmetricKeyType === "ec") {
+		let n = new Map([
+			["prime256v1", "P-256"],
+			["secp384r1", "P-384"],
+			["secp521r1", "P-521"]
+		]).get(e.asymmetricKeyDetails?.namedCurve);
+		if (!n) throw TypeError(Y);
+		let o = {
+			ES256: "P-256",
+			ES384: "P-384",
+			ES512: "P-521"
+		};
+		o[t] && n === o[t] && (a = e.toCryptoKey({
+			name: "ECDSA",
+			namedCurve: n
+		}, i, [r ? "verify" : "sign"])), t.startsWith("ECDH-ES") && (a = e.toCryptoKey({
+			name: "ECDH",
+			namedCurve: n
+		}, i, r ? [] : ["deriveBits"]));
+	}
+	if (!a) throw TypeError(Y);
+	return n ? n[t] = a : X.set(e, { [t]: a }), a;
+};
+async function Pe(e, t) {
+	if (e instanceof Uint8Array || w(e)) return e;
+	if (T(e)) {
+		if (e.type === "secret") return e.export();
+		if ("toCryptoKey" in e && typeof e.toCryptoKey == "function") try {
+			return Ne(e, t);
+		} catch (e) {
+			if (e instanceof TypeError) throw e;
+		}
+		return Me(e, e.export({ format: "jwk" }), t);
+	}
+	if (L(e)) return e.k ? u(e.k) : Me(e, e, t, !0);
+	throw Error("unreachable");
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/key/import.js
+async function Fe(e, t, n) {
+	if (!I(e)) throw TypeError("JWK must be an object");
+	let r;
+	switch (t ??= e.alg, r ??= n?.extractable ?? e.ext, e.kty) {
+		case "oct":
+			if (typeof e.k != "string" || !e.k) throw TypeError("missing \"k\" (Key Value) Parameter value");
+			return u(e.k);
+		case "RSA":
+			if ("oth" in e && e.oth !== void 0) throw new b("RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported");
+			return J({
+				...e,
+				alg: t,
+				ext: r
+			});
+		case "AKP":
+			if (typeof e.alg != "string" || !e.alg) throw TypeError("missing \"alg\" (Algorithm) Parameter value");
+			if (t !== void 0 && t !== e.alg) throw TypeError("JWK alg and alg option value mismatch");
+			return J({
+				...e,
+				ext: r
+			});
+		case "EC":
+		case "OKP": return J({
+			...e,
+			alg: t,
+			ext: r
+		});
+		default: throw new b("Unsupported \"kty\" (Key Type) Parameter value");
+	}
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/key_to_jwk.js
+async function Ie(e) {
+	if (T(e)) if (e.type === "secret") e = e.export();
+	else return e.export({ format: "jwk" });
+	if (e instanceof Uint8Array) return {
+		kty: "oct",
+		k: d(e)
+	};
+	if (!w(e)) throw TypeError(v(e, "CryptoKey", "KeyObject", "Uint8Array"));
+	if (!e.extractable) throw TypeError("non-extractable CryptoKey cannot be exported as a JWK");
+	let { ext: t, key_ops: n, alg: r, use: i, ...a } = await crypto.subtle.exportKey("jwk", e);
+	return a.kty === "AKP" && (a.alg = r), a;
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/key/export.js
+async function Le(e) {
+	return Ie(e);
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/aesgcmkw.js
+async function Re(e, t, n, r) {
+	let i = await N(e.slice(0, 7), n, t, r, new Uint8Array());
+	return {
+		encryptedKey: i.ciphertext,
+		iv: d(i.iv),
+		tag: d(i.tag)
+	};
+}
+async function ze(e, t, n, r, i) {
+	return P(e.slice(0, 7), t, n, r, i, new Uint8Array());
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/key_management.js
+var Be = "Invalid or unsupported \"alg\" (JWE Algorithm) header value";
+function Z(e) {
+	if (e === void 0) throw new S("JWE Encrypted Key missing");
+}
+async function Ve(e, t, n, r, i) {
+	switch (e) {
+		case "dir":
+			if (n !== void 0) throw new S("Encountered unexpected JWE Encrypted Key");
+			return t;
+		case "ECDH-ES": if (n !== void 0) throw new S("Encountered unexpected JWE Encrypted Key");
+		case "ECDH-ES+A128KW":
+		case "ECDH-ES+A192KW":
+		case "ECDH-ES+A256KW": {
+			if (!I(r.epk)) throw new S("JOSE Header \"epk\" (Ephemeral Public Key) missing or invalid");
+			if (C(t), !W(t)) throw new b("ECDH with the provided key is not allowed or not supported by your javascript runtime");
+			let i = await Fe(r.epk, e);
+			C(i);
+			let a, o;
+			if (r.apu !== void 0) {
+				if (typeof r.apu != "string") throw new S("JOSE Header \"apu\" (Agreement PartyUInfo) invalid");
+				a = F(r.apu, "apu", S);
+			}
+			if (r.apv !== void 0) {
+				if (typeof r.apv != "string") throw new S("JOSE Header \"apv\" (Agreement PartyVInfo) invalid");
+				o = F(r.apv, "apv", S);
+			}
+			let s = await U(i, t, e === "ECDH-ES" ? r.enc : e, e === "ECDH-ES" ? E(r.enc) : parseInt(e.slice(-5, -2), 10), a, o);
+			return e === "ECDH-ES" ? s : (Z(n), V(e.slice(-6), s, n));
+		}
+		case "RSA-OAEP":
+		case "RSA-OAEP-256":
+		case "RSA-OAEP-384":
+		case "RSA-OAEP-512": return Z(n), C(t), Ae(e, t, n);
+		case "PBES2-HS256+A128KW":
+		case "PBES2-HS384+A192KW":
+		case "PBES2-HS512+A256KW": {
+			if (Z(n), typeof r.p2c != "number") throw new S("JOSE Header \"p2c\" (PBES2 Count) missing or invalid");
+			let a = i?.maxPBES2Count || 1e4;
+			if (r.p2c > a) throw new S("JOSE Header \"p2c\" (PBES2 Count) out is of acceptable bounds");
+			if (typeof r.p2s != "string") throw new S("JOSE Header \"p2s\" (PBES2 Salt) missing or invalid");
+			let o;
+			return o = F(r.p2s, "p2s", S), De(e, t, n, r.p2c, o);
+		}
+		case "A128KW":
+		case "A192KW":
+		case "A256KW": return Z(n), V(e, t, n);
+		case "A128GCMKW":
+		case "A192GCMKW":
+		case "A256GCMKW": {
+			if (Z(n), typeof r.iv != "string") throw new S("JOSE Header \"iv\" (Initialization Vector) missing or invalid");
+			if (typeof r.tag != "string") throw new S("JOSE Header \"tag\" (Authentication Tag) missing or invalid");
+			let i;
+			i = F(r.iv, "iv", S);
+			let a;
+			return a = F(r.tag, "tag", S), ze(e, t, n, i, a);
+		}
+		default: throw new b(Be);
+	}
+}
+async function He(e, t, n, r, i = {}) {
+	let a, o, s;
+	switch (e) {
+		case "dir":
+			s = n;
+			break;
+		case "ECDH-ES":
+		case "ECDH-ES+A128KW":
+		case "ECDH-ES+A192KW":
+		case "ECDH-ES+A256KW": {
+			if (C(n), !W(n)) throw new b("ECDH with the provided key is not allowed or not supported by your javascript runtime");
+			let { apu: c, apv: l } = i, u;
+			u = i.epk ? await Pe(i.epk, e) : (await crypto.subtle.generateKey(n.algorithm, !0, ["deriveBits"])).privateKey;
+			let { x: f, y: p, crv: ee, kty: m } = await Le(u), h = await U(n, u, e === "ECDH-ES" ? t : e, e === "ECDH-ES" ? E(t) : parseInt(e.slice(-5, -2), 10), c, l);
+			if (o = { epk: {
+				x: f,
+				crv: ee,
+				kty: m
+			} }, m === "EC" && (o.epk.y = p), c && (o.apu = d(c)), l && (o.apv = d(l)), e === "ECDH-ES") {
+				s = h;
+				break;
+			}
+			s = r || D(t), a = await B(e.slice(-6), h, s);
+			break;
+		}
+		case "RSA-OAEP":
+		case "RSA-OAEP-256":
+		case "RSA-OAEP-384":
+		case "RSA-OAEP-512":
+			s = r || D(t), C(n), a = await ke(e, n, s);
+			break;
+		case "PBES2-HS256+A128KW":
+		case "PBES2-HS384+A192KW":
+		case "PBES2-HS512+A256KW": {
+			s = r || D(t);
+			let { p2c: c, p2s: l } = i;
+			({encryptedKey: a, ...o} = await Ee(e, n, s, c, l));
+			break;
+		}
+		case "A128KW":
+		case "A192KW":
+		case "A256KW":
+			s = r || D(t), a = await B(e, n, s);
+			break;
+		case "A128GCMKW":
+		case "A192GCMKW":
+		case "A256GCMKW": {
+			s = r || D(t);
+			let { iv: c } = i;
+			({encryptedKey: a, ...o} = await Re(e, n, s, c));
+			break;
+		}
+		default: throw new b(Be);
+	}
+	return {
+		cek: s,
+		encryptedKey: a,
+		parameters: o
+	};
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/validate_crit.js
+function Ue(e, t, n, r, i) {
+	if (i.crit !== void 0 && r?.crit === void 0) throw new e("\"crit\" (Critical) Header Parameter MUST be integrity protected");
+	if (!r || r.crit === void 0) return /* @__PURE__ */ new Set();
+	if (!Array.isArray(r.crit) || r.crit.length === 0 || r.crit.some((e) => typeof e != "string" || e.length === 0)) throw new e("\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present");
+	let a;
+	a = n === void 0 ? t : new Map([...Object.entries(n), ...t.entries()]);
+	for (let t of r.crit) {
+		if (!a.has(t)) throw new b(`Extension Header Parameter "${t}" is not recognized`);
+		if (i[t] === void 0) throw new e(`Extension Header Parameter "${t}" is missing`);
+		if (a.get(t) && r[t] === void 0) throw new e(`Extension Header Parameter "${t}" MUST be integrity protected`);
+	}
+	return new Set(r.crit);
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/check_key_type.js
+var Q = (e) => e?.[Symbol.toStringTag], $ = (e, t, n) => {
+	if (t.use !== void 0) {
+		let e;
+		switch (n) {
+			case "sign":
+			case "verify":
+				e = "sig";
+				break;
+			case "encrypt":
+			case "decrypt":
+				e = "enc";
+				break;
+		}
+		if (t.use !== e) throw TypeError(`Invalid key for this operation, its "use" must be "${e}" when present`);
+	}
+	if (t.alg !== void 0 && t.alg !== e) throw TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);
+	if (Array.isArray(t.key_ops)) {
+		let r;
+		switch (!0) {
+			case n === "sign" || n === "verify":
+			case e === "dir":
+			case e.includes("CBC-HS"):
+				r = n;
+				break;
+			case e.startsWith("PBES2"):
+				r = "deriveBits";
+				break;
+			case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):
+				r = !e.includes("GCM") && e.endsWith("KW") ? n === "encrypt" ? "wrapKey" : "unwrapKey" : n;
+				break;
+			case n === "encrypt" && e.startsWith("RSA"):
+				r = "wrapKey";
+				break;
+			case n === "decrypt":
+				r = e.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+				break;
+		}
+		if (r && t.key_ops?.includes?.(r) === !1) throw TypeError(`Invalid key for this operation, its "key_ops" must include "${r}" when present`);
+	}
+	return !0;
+}, We = (e, t, n) => {
+	if (!(t instanceof Uint8Array)) {
+		if (L(t)) {
+			if (xe(t) && $(e, t, n)) return;
+			throw TypeError("JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present");
+		}
+		if (!oe(t)) throw TypeError(te(e, t, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+		if (t.type !== "secret") throw TypeError(`${Q(t)} instances for symmetric algorithms must be of type "secret"`);
+	}
+}, Ge = (e, t, n) => {
+	if (L(t)) switch (n) {
+		case "decrypt":
+		case "sign":
+			if (ye(t) && $(e, t, n)) return;
+			throw TypeError("JSON Web Key for this operation must be a private JWK");
+		case "encrypt":
+		case "verify":
+			if (be(t) && $(e, t, n)) return;
+			throw TypeError("JSON Web Key for this operation must be a public JWK");
+	}
+	if (!oe(t)) throw TypeError(te(e, t, "CryptoKey", "KeyObject", "JSON Web Key"));
+	if (t.type === "secret") throw TypeError(`${Q(t)} instances for asymmetric algorithms must not be of type "secret"`);
+	if (t.type === "public") switch (n) {
+		case "sign": throw TypeError(`${Q(t)} instances for asymmetric algorithm signing must be of type "private"`);
+		case "decrypt": throw TypeError(`${Q(t)} instances for asymmetric algorithm decryption must be of type "private"`);
+	}
+	if (t.type === "private") switch (n) {
+		case "verify": throw TypeError(`${Q(t)} instances for asymmetric algorithm verifying must be of type "public"`);
+		case "encrypt": throw TypeError(`${Q(t)} instances for asymmetric algorithm encryption must be of type "public"`);
+	}
+};
+function Ke(e, t, n) {
+	switch (e.substring(0, 2)) {
+		case "A1":
+		case "A2":
+		case "di":
+		case "HS":
+		case "PB":
+			We(e, t, n);
+			break;
+		default: Ge(e, t, n);
+	}
+}
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.2.2/node_modules/jose/dist/webapi/lib/deflate.js
+function qe(e) {
+	if (globalThis[e] === void 0) throw new b(`JWE "zip" (Compression Algorithm) Header Parameter requires the ${e} API.`);
+}
+async function Je(e) {
+	qe("CompressionStream");
+	let t = new CompressionStream("deflate-raw"), n = t.writable.getWriter();
+	n.write(e).catch(() => {}), n.close().catch(() => {});
+	let i = [], a = t.readable.getReader();
+	for (;;) {
+		let { value: e, done: t } = await a.read();
+		if (t) break;
+		i.push(e);
+	}
+	return r(...i);
+}
+async function Ye(e, t) {
+	qe("DecompressionStream");
+	let n = new DecompressionStream("deflate-raw"), i = n.writable.getWriter();
+	i.write(e).catch(() => {}), i.close().catch(() => {});
+	let a = [], o = 0, s = n.readable.getReader();
+	for (;;) {
+		let { value: e, done: n } = await s.read();
+		if (n) break;
+		if (a.push(e), o += e.byteLength, t !== Infinity && o > t) throw new S("Decompressed plaintext exceeded the configured limit");
+	}
+	return r(...a);
+}
+//#endregion
+export { d as C, e as D, s as E, u as S, t as T, b as _, Ve as a, re as b, ve as c, F as d, me as f, ie as g, D as h, Ue as i, I as l, N as m, Ye as n, He as o, P as p, Ke as r, Pe as s, Je as t, he as u, S as v, r as w, ae as x, ne as y };