npm - @genation/sdk - Versions diffs - 0.2.9 → 0.2.10 - Mend

@genation/sdk 0.2.9 → 0.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/genation.es.js CHANGED Viewed

@@ -1,51 +1,51 @@
-class m extends Error {
+class N extends Error {
   code;
   cause;
-  constructor(e, t, s) {
-    super(e), this.name = "GenationError", this.code = t, this.cause = s;
+  constructor(e, r, n) {
+    super(e), this.name = "GenationError", this.code = r, this.cause = n;
   }
 }
-class l extends m {
-  constructor(e, t, s) {
-    super(e, t, s), this.name = "AuthError";
+class g extends N {
+  constructor(e, r, n) {
+    super(e, r, n), this.name = "AuthError";
   }
   static invalidGrant(e = "Invalid authorization code or refresh token") {
-    return new l(e, "invalid_grant");
+    return new g(e, "invalid_grant");
   }
   static accessDenied(e = "User denied access") {
-    return new l(e, "access_denied");
+    return new g(e, "access_denied");
   }
   static expiredToken(e = "Token has expired") {
-    return new l(e, "expired_token");
+    return new g(e, "expired_token");
   }
   static invalidState(e = "State mismatch, possible CSRF attack") {
-    return new l(e, "invalid_state");
+    return new g(e, "invalid_state");
   }
   static pkceVerificationFailed(e = "PKCE verification failed") {
-    return new l(e, "pkce_verification_failed");
+    return new g(e, "pkce_verification_failed");
   }
 }
-class h extends m {
+class S extends N {
   status;
-  constructor(e, t, s) {
-    super(e, "network_error", s), this.name = "NetworkError", this.status = t;
+  constructor(e, r, n) {
+    super(e, "network_error", n), this.name = "NetworkError", this.status = r;
   }
   static fromResponse(e) {
-    return new h(
+    return new S(
       `HTTP ${e.status}: ${e.statusText}`,
       e.status
     );
   }
 }
-class u extends m {
+class v extends N {
   constructor(e) {
     super(e, "config_error"), this.name = "ConfigError";
   }
   static missingField(e) {
-    return new u(`Missing required config field: ${e}`);
+    return new v(`Missing required config field: ${e}`);
   }
 }
-class p {
+class D {
   baseUrl;
   timeout;
   constructor(e) {
@@ -54,79 +54,79 @@ class p {
   /**
    * Make an HTTP request
    */
-  async request(e, t = {}) {
-    const { method: s = "GET", headers: n = {}, body: i, params: c } = t;
-    let a = `${this.baseUrl}${e}`;
-    if (c) {
-      const o = new URLSearchParams(c);
-      a += `?${o.toString()}`;
-    }
-    const y = new AbortController(), S = setTimeout(() => y.abort(), this.timeout);
+  async request(e, r = {}) {
+    const { method: n = "GET", headers: s = {}, body: a, params: i } = r;
+    let c = `${this.baseUrl}${e}`;
+    if (i) {
+      const o = new URLSearchParams(i);
+      c += `?${o.toString()}`;
+    }
+    const u = new AbortController(), h = setTimeout(() => u.abort(), this.timeout);
     try {
-      const o = await fetch(a, {
-        method: s,
+      const o = await fetch(c, {
+        method: n,
         headers: {
           "Content-Type": "application/json",
-          ...n
+          ...s
         },
-        body: i ? JSON.stringify(i) : void 0,
-        signal: y.signal
+        body: a ? JSON.stringify(a) : void 0,
+        signal: u.signal
       });
-      if (clearTimeout(S), !o.ok)
-        throw h.fromResponse(o);
+      if (clearTimeout(h), !o.ok)
+        throw S.fromResponse(o);
       return await o.json();
     } catch (o) {
-      throw clearTimeout(S), o instanceof h ? o : o instanceof Error && o.name === "AbortError" ? new h("Request timeout", void 0, o) : new h("Network request failed", void 0, o);
+      throw clearTimeout(h), o instanceof S ? o : o instanceof Error && o.name === "AbortError" ? new S("Request timeout", void 0, o) : new S("Network request failed", void 0, o);
     }
   }
   /**
    * POST request with form data (for OAuth token exchange)
    */
-  async postForm(e, t, s = {}) {
-    const n = `${this.baseUrl}${e}`, i = new AbortController(), c = setTimeout(() => i.abort(), this.timeout);
+  async postForm(e, r, n = {}) {
+    const s = `${this.baseUrl}${e}`, a = new AbortController(), i = setTimeout(() => a.abort(), this.timeout);
     try {
-      const a = await fetch(n, {
+      const c = await fetch(s, {
         method: "POST",
         headers: {
           "Content-Type": "application/x-www-form-urlencoded",
-          ...s
+          ...n
         },
-        body: new URLSearchParams(t).toString(),
-        signal: i.signal
+        body: new URLSearchParams(r).toString(),
+        signal: a.signal
       });
-      if (clearTimeout(c), !a.ok)
-        throw h.fromResponse(a);
-      return await a.json();
-    } catch (a) {
-      throw clearTimeout(c), a instanceof h ? a : new h("Network request failed", void 0, a);
+      if (clearTimeout(i), !c.ok)
+        throw S.fromResponse(c);
+      return await c.json();
+    } catch (c) {
+      throw clearTimeout(i), c instanceof S ? c : new S("Network request failed", void 0, c);
     }
   }
 }
-function k(r) {
-  return btoa(String.fromCharCode(...r)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+function $(t) {
+  return btoa(String.fromCharCode(...t)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
-function _() {
-  const r = new Uint8Array(32);
-  return crypto.getRandomValues(r), k(r);
+function he() {
+  const t = new Uint8Array(32);
+  return crypto.getRandomValues(t), $(t);
 }
-async function b(r) {
-  const t = new TextEncoder().encode(r), s = await crypto.subtle.digest("SHA-256", t);
-  return k(new Uint8Array(s));
+async function ue(t) {
+  const r = new TextEncoder().encode(t), n = await crypto.subtle.digest("SHA-256", r);
+  return $(new Uint8Array(n));
 }
-async function v() {
-  const r = _(), e = await b(r);
+async function fe() {
+  const t = he(), e = await ue(t);
   return {
-    codeVerifier: r,
+    codeVerifier: t,
     codeChallenge: e,
     codeChallengeMethod: "S256"
   };
 }
-function C() {
-  const r = new Uint8Array(16);
-  return crypto.getRandomValues(r), k(r);
+function de() {
+  const t = new Uint8Array(16);
+  return crypto.getRandomValues(t), $(t);
 }
-const d = "tokens", g = "pkce", f = "state";
-class I {
+const W = "tokens", k = "pkce", I = "state";
+class le {
   storage;
   constructor(e) {
     this.storage = e;
@@ -135,13 +135,13 @@ class I {
    * Store token set
    */
   async setTokens(e) {
-    await this.storage.set(d, JSON.stringify(e));
+    await this.storage.set(W, JSON.stringify(e));
   }
   /**
    * Get stored tokens
    */
   async getTokens() {
-    const e = await this.storage.get(d);
+    const e = await this.storage.get(W);
     if (!e) return null;
     try {
       return JSON.parse(e);
@@ -153,7 +153,7 @@ class I {
    * Clear stored tokens
    */
   async clearTokens() {
-    await this.storage.remove(d);
+    await this.storage.remove(W);
   }
   /**
    * Check if access token is expired
@@ -161,34 +161,34 @@ class I {
   async isTokenExpired() {
     const e = await this.getTokens();
     if (!e) return !0;
-    const t = e.issuedAt + e.expiresIn * 1e3;
-    return Date.now() > t - 6e4;
+    const r = e.issuedAt + e.expiresIn * 1e3;
+    return Date.now() > r - 6e4;
   }
   /**
    * Store PKCE verifier for later validation
    */
   async setPKCE(e) {
-    await this.storage.set(g, e);
+    await this.storage.set(k, e);
   }
   /**
    * Get and clear stored PKCE verifier
    */
   async consumePKCE() {
-    const e = await this.storage.get(g);
-    return e && await this.storage.remove(g), e;
+    const e = await this.storage.get(k);
+    return e && await this.storage.remove(k), e;
   }
   /**
    * Store state for CSRF validation
    */
   async setState(e) {
-    await this.storage.set(f, e);
+    await this.storage.set(I, e);
   }
   /**
    * Get and clear stored state
    */
   async consumeState() {
-    const e = await this.storage.get(f);
-    return e && await this.storage.remove(f), e;
+    const e = await this.storage.get(I);
+    return e && await this.storage.remove(I), e;
   }
   /**
    * Clear all auth-related data
@@ -197,48 +197,48 @@ class I {
     await this.storage.clear();
   }
 }
-const U = "https://mnnoheowoowbtpuoguul.supabase.co/auth/v1";
-class x {
+const pe = "https://mnnoheowoowbtpuoguul.supabase.co/auth/v1";
+class ye {
   config;
   http;
   tokenManager;
-  constructor(e, t) {
+  constructor(e, r) {
     this.config = {
       clientId: e.clientId,
       clientSecret: e.clientSecret,
       redirectUri: e.redirectUri,
       scopes: e.scopes,
-      authUrl: e.authUrl ?? U
-    }, this.http = new p({ baseUrl: this.config.authUrl }), this.tokenManager = t;
+      authUrl: e.authUrl ?? pe
+    }, this.http = new D({ baseUrl: this.config.authUrl }), this.tokenManager = r;
   }
   /**
    * Generate authorization URL for OAuth flow
    * Stores PKCE verifier and state for later validation
    */
   async getAuthorizationUrl() {
-    const e = await v(), t = C();
-    await this.tokenManager.setPKCE(e.codeVerifier), await this.tokenManager.setState(t);
-    const s = new URLSearchParams({
+    const e = await fe(), r = de();
+    await this.tokenManager.setPKCE(e.codeVerifier), await this.tokenManager.setState(r);
+    const n = new URLSearchParams({
       response_type: "code",
       client_id: this.config.clientId,
       redirect_uri: this.config.redirectUri,
-      state: t,
+      state: r,
       code_challenge: e.codeChallenge,
       code_challenge_method: e.codeChallengeMethod
     });
-    return this.config.scopes && this.config.scopes.length > 0 && s.append("scope", this.config.scopes.join(" ")), `${this.config.authUrl}/oauth/authorize?${s.toString()}`;
+    return this.config.scopes && this.config.scopes.length > 0 && n.append("scope", this.config.scopes.join(" ")), `${this.config.authUrl}/oauth/authorize?${n.toString()}`;
   }
   /**
    * Exchange authorization code for tokens
    */
-  async exchangeCode(e, t) {
-    const s = await this.tokenManager.consumeState();
-    if (!s || s !== t)
-      throw l.invalidState();
-    const n = await this.tokenManager.consumePKCE();
-    if (!n)
-      throw l.pkceVerificationFailed("Missing code verifier");
-    const i = await this.http.postForm(
+  async exchangeCode(e, r) {
+    const n = await this.tokenManager.consumeState();
+    if (!n || n !== r)
+      throw g.invalidState();
+    const s = await this.tokenManager.consumePKCE();
+    if (!s)
+      throw g.pkceVerificationFailed("Missing code verifier");
+    const a = await this.http.postForm(
       "/oauth/token",
       {
         grant_type: "authorization_code",
@@ -246,10 +246,10 @@ class x {
         redirect_uri: this.config.redirectUri,
         client_id: this.config.clientId,
         client_secret: this.config.clientSecret,
-        code_verifier: n
+        code_verifier: s
       }
-    ), c = this.mapTokenResponse(i);
-    return await this.tokenManager.setTokens(c), c;
+    ), i = this.mapTokenResponse(a);
+    return await this.tokenManager.setTokens(i), i;
   }
   /**
    * Refresh access token using refresh token
@@ -257,8 +257,8 @@ class x {
   async refreshToken() {
     const e = await this.tokenManager.getTokens();
     if (!e?.refreshToken)
-      throw l.invalidGrant("No refresh token available");
-    const t = await this.http.postForm(
+      throw g.invalidGrant("No refresh token available");
+    const r = await this.http.postForm(
       "/oauth/token",
       {
         grant_type: "refresh_token",
@@ -266,8 +266,8 @@ class x {
         client_id: this.config.clientId,
         client_secret: this.config.clientSecret
       }
-    ), s = this.mapTokenResponse(t);
-    return await this.tokenManager.setTokens(s), s;
+    ), n = this.mapTokenResponse(r);
+    return await this.tokenManager.setTokens(n), n;
   }
   /**
    * Revoke current tokens
@@ -299,13 +299,1059 @@ class x {
     };
   }
 }
-class E {
+const G = new TextEncoder(), _ = new TextDecoder();
+function me(...t) {
+  const e = t.reduce((s, { length: a }) => s + a, 0), r = new Uint8Array(e);
+  let n = 0;
+  for (const s of t)
+    r.set(s, n), n += s.length;
+  return r;
+}
+function J(t) {
+  const e = new Uint8Array(t.length);
+  for (let r = 0; r < t.length; r++) {
+    const n = t.charCodeAt(r);
+    if (n > 127)
+      throw new TypeError("non-ASCII string encountered in encode()");
+    e[r] = n;
+  }
+  return e;
+}
+function we(t) {
+  if (Uint8Array.fromBase64)
+    return Uint8Array.fromBase64(t);
+  const e = atob(t), r = new Uint8Array(e.length);
+  for (let n = 0; n < e.length; n++)
+    r[n] = e.charCodeAt(n);
+  return r;
+}
+function C(t) {
+  if (Uint8Array.fromBase64)
+    return Uint8Array.fromBase64(typeof t == "string" ? t : _.decode(t), {
+      alphabet: "base64url"
+    });
+  let e = t;
+  e instanceof Uint8Array && (e = _.decode(e)), e = e.replace(/-/g, "+").replace(/_/g, "/");
+  try {
+    return we(e);
+  } catch {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+}
+class l extends Error {
+  static code = "ERR_JOSE_GENERIC";
+  code = "ERR_JOSE_GENERIC";
+  constructor(e, r) {
+    super(e, r), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+class y extends l {
+  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  claim;
+  reason;
+  payload;
+  constructor(e, r, n = "unspecified", s = "unspecified") {
+    super(e, { cause: { claim: n, reason: s, payload: r } }), this.claim = n, this.reason = s, this.payload = r;
+  }
+}
+class z extends l {
+  static code = "ERR_JWT_EXPIRED";
+  code = "ERR_JWT_EXPIRED";
+  claim;
+  reason;
+  payload;
+  constructor(e, r, n = "unspecified", s = "unspecified") {
+    super(e, { cause: { claim: n, reason: s, payload: r } }), this.claim = n, this.reason = s, this.payload = r;
+  }
+}
+class w extends l {
+  static code = "ERR_JOSE_NOT_SUPPORTED";
+  code = "ERR_JOSE_NOT_SUPPORTED";
+}
+class f extends l {
+  static code = "ERR_JWS_INVALID";
+  code = "ERR_JWS_INVALID";
+}
+class j extends l {
+  static code = "ERR_JWT_INVALID";
+  code = "ERR_JWT_INVALID";
+}
+class ee extends l {
+  static code = "ERR_JWKS_INVALID";
+  code = "ERR_JWKS_INVALID";
+}
+class te extends l {
+  static code = "ERR_JWKS_NO_MATCHING_KEY";
+  code = "ERR_JWKS_NO_MATCHING_KEY";
+  constructor(e = "no applicable key found in the JSON Web Key Set", r) {
+    super(e, r);
+  }
+}
+class Se extends l {
+  [Symbol.asyncIterator];
+  static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+  code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+  constructor(e = "multiple matching keys found in the JSON Web Key Set", r) {
+    super(e, r);
+  }
+}
+class ge extends l {
+  static code = "ERR_JWKS_TIMEOUT";
+  code = "ERR_JWKS_TIMEOUT";
+  constructor(e = "request timed out", r) {
+    super(e, r);
+  }
+}
+class be extends l {
+  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  constructor(e = "signature verification failed", r) {
+    super(e, r);
+  }
+}
+const m = (t, e = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`), A = (t, e) => t.name === e;
+function U(t) {
+  return parseInt(t.name.slice(4), 10);
+}
+function Ee(t) {
+  switch (t) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function Ae(t, e) {
+  if (!t.usages.includes(e))
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`);
+}
+function Ke(t, e, r) {
+  switch (e) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!A(t.algorithm, "HMAC"))
+        throw m("HMAC");
+      const n = parseInt(e.slice(2), 10);
+      if (U(t.algorithm.hash) !== n)
+        throw m(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!A(t.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw m("RSASSA-PKCS1-v1_5");
+      const n = parseInt(e.slice(2), 10);
+      if (U(t.algorithm.hash) !== n)
+        throw m(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!A(t.algorithm, "RSA-PSS"))
+        throw m("RSA-PSS");
+      const n = parseInt(e.slice(2), 10);
+      if (U(t.algorithm.hash) !== n)
+        throw m(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!A(t.algorithm, "Ed25519"))
+        throw m("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!A(t.algorithm, e))
+        throw m(e);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!A(t.algorithm, "ECDSA"))
+        throw m("ECDSA");
+      const n = Ee(e);
+      if (t.algorithm.namedCurve !== n)
+        throw m(n, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  Ae(t, r);
+}
+function re(t, e, ...r) {
+  if (r = r.filter(Boolean), r.length > 2) {
+    const n = r.pop();
+    t += `one of type ${r.join(", ")}, or ${n}.`;
+  } else r.length === 2 ? t += `one of type ${r[0]} or ${r[1]}.` : t += `of type ${r[0]}.`;
+  return e == null ? t += ` Received ${e}` : typeof e == "function" && e.name ? t += ` Received function ${e.name}` : typeof e == "object" && e != null && e.constructor?.name && (t += ` Received an instance of ${e.constructor.name}`), t;
+}
+const Te = (t, ...e) => re("Key must be ", t, ...e), ne = (t, e, ...r) => re(`Key for the ${t} algorithm must be `, e, ...r), se = (t) => {
+  if (t?.[Symbol.toStringTag] === "CryptoKey")
+    return !0;
+  try {
+    return t instanceof CryptoKey;
+  } catch {
+    return !1;
+  }
+}, ae = (t) => t?.[Symbol.toStringTag] === "KeyObject", ie = (t) => se(t) || ae(t);
+function ve(...t) {
+  const e = t.filter(Boolean);
+  if (e.length === 0 || e.length === 1)
+    return !0;
+  let r;
+  for (const n of e) {
+    const s = Object.keys(n);
+    if (!r || r.size === 0) {
+      r = new Set(s);
+      continue;
+    }
+    for (const a of s) {
+      if (r.has(a))
+        return !1;
+      r.add(a);
+    }
+  }
+  return !0;
+}
+const Ce = (t) => typeof t == "object" && t !== null;
+function E(t) {
+  if (!Ce(t) || Object.prototype.toString.call(t) !== "[object Object]")
+    return !1;
+  if (Object.getPrototypeOf(t) === null)
+    return !0;
+  let e = t;
+  for (; Object.getPrototypeOf(e) !== null; )
+    e = Object.getPrototypeOf(e);
+  return Object.getPrototypeOf(t) === e;
+}
+function _e(t, e) {
+  if (t.startsWith("RS") || t.startsWith("PS")) {
+    const { modulusLength: r } = e.algorithm;
+    if (typeof r != "number" || r < 2048)
+      throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`);
+  }
+}
+function Re(t) {
+  let e, r;
+  switch (t.kty) {
+    case "AKP": {
+      switch (t.alg) {
+        case "ML-DSA-44":
+        case "ML-DSA-65":
+        case "ML-DSA-87":
+          e = { name: t.alg }, r = t.priv ? ["sign"] : ["verify"];
+          break;
+        default:
+          throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "RSA": {
+      switch (t.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          e = { name: "RSA-PSS", hash: `SHA-${t.alg.slice(-3)}` }, r = t.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          e = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${t.alg.slice(-3)}` }, r = t.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          e = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(t.alg.slice(-3), 10) || 1}`
+          }, r = t.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "EC": {
+      switch (t.alg) {
+        case "ES256":
+          e = { name: "ECDSA", namedCurve: "P-256" }, r = t.d ? ["sign"] : ["verify"];
+          break;
+        case "ES384":
+          e = { name: "ECDSA", namedCurve: "P-384" }, r = t.d ? ["sign"] : ["verify"];
+          break;
+        case "ES512":
+          e = { name: "ECDSA", namedCurve: "P-521" }, r = t.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          e = { name: "ECDH", namedCurve: t.crv }, r = t.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "OKP": {
+      switch (t.alg) {
+        case "Ed25519":
+        case "EdDSA":
+          e = { name: "Ed25519" }, r = t.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          e = { name: t.crv }, r = t.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    default:
+      throw new w('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm: e, keyUsages: r };
+}
+async function R(t) {
+  if (!t.alg)
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  const { algorithm: e, keyUsages: r } = Re(t), n = { ...t };
+  return n.kty !== "AKP" && delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, e, t.ext ?? !(t.d || t.priv), t.key_ops ?? r);
+}
+async function Pe(t, e, r) {
+  if (!E(t))
+    throw new TypeError("JWK must be an object");
+  let n;
+  switch (e ??= t.alg, n ??= t.ext, t.kty) {
+    case "oct":
+      if (typeof t.k != "string" || !t.k)
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      return C(t.k);
+    case "RSA":
+      if ("oth" in t && t.oth !== void 0)
+        throw new w('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      return R({ ...t, alg: e, ext: n });
+    case "AKP": {
+      if (typeof t.alg != "string" || !t.alg)
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      if (e !== void 0 && e !== t.alg)
+        throw new TypeError("JWK alg and alg option value mismatch");
+      return R({ ...t, ext: n });
+    }
+    case "EC":
+    case "OKP":
+      return R({ ...t, alg: e, ext: n });
+    default:
+      throw new w('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+function We(t, e, r, n, s) {
+  if (s.crit !== void 0 && n?.crit === void 0)
+    throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');
+  if (!n || n.crit === void 0)
+    return /* @__PURE__ */ new Set();
+  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((i) => typeof i != "string" || i.length === 0))
+    throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  let a;
+  a = e;
+  for (const i of n.crit) {
+    if (!a.has(i))
+      throw new w(`Extension Header Parameter "${i}" is not recognized`);
+    if (s[i] === void 0)
+      throw new t(`Extension Header Parameter "${i}" is missing`);
+    if (a.get(i) && n[i] === void 0)
+      throw new t(`Extension Header Parameter "${i}" MUST be integrity protected`);
+  }
+  return new Set(n.crit);
+}
+const L = (t) => E(t) && typeof t.kty == "string", ke = (t) => t.kty !== "oct" && (t.kty === "AKP" && typeof t.priv == "string" || typeof t.d == "string"), Ie = (t) => t.kty !== "oct" && t.d === void 0 && t.priv === void 0, Je = (t) => t.kty === "oct" && typeof t.k == "string";
+let T;
+const B = async (t, e, r, n = !1) => {
+  T ||= /* @__PURE__ */ new WeakMap();
+  let s = T.get(t);
+  if (s?.[r])
+    return s[r];
+  const a = await R({ ...e, alg: r });
+  return n && Object.freeze(t), s ? s[r] = a : T.set(t, { [r]: a }), a;
+}, Ue = (t, e) => {
+  T ||= /* @__PURE__ */ new WeakMap();
+  let r = T.get(t);
+  if (r?.[e])
+    return r[e];
+  const n = t.type === "public", s = !!n;
+  let a;
+  if (t.asymmetricKeyType === "x25519") {
+    switch (e) {
+      case "ECDH-ES":
+      case "ECDH-ES+A128KW":
+      case "ECDH-ES+A192KW":
+      case "ECDH-ES+A256KW":
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    a = t.toCryptoKey(t.asymmetricKeyType, s, n ? [] : ["deriveBits"]);
+  }
+  if (t.asymmetricKeyType === "ed25519") {
+    if (e !== "EdDSA" && e !== "Ed25519")
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    a = t.toCryptoKey(t.asymmetricKeyType, s, [
+      n ? "verify" : "sign"
+    ]);
+  }
+  switch (t.asymmetricKeyType) {
+    case "ml-dsa-44":
+    case "ml-dsa-65":
+    case "ml-dsa-87": {
+      if (e !== t.asymmetricKeyType.toUpperCase())
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      a = t.toCryptoKey(t.asymmetricKeyType, s, [
+        n ? "verify" : "sign"
+      ]);
+    }
+  }
+  if (t.asymmetricKeyType === "rsa") {
+    let i;
+    switch (e) {
+      case "RSA-OAEP":
+        i = "SHA-1";
+        break;
+      case "RS256":
+      case "PS256":
+      case "RSA-OAEP-256":
+        i = "SHA-256";
+        break;
+      case "RS384":
+      case "PS384":
+      case "RSA-OAEP-384":
+        i = "SHA-384";
+        break;
+      case "RS512":
+      case "PS512":
+      case "RSA-OAEP-512":
+        i = "SHA-512";
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    if (e.startsWith("RSA-OAEP"))
+      return t.toCryptoKey({
+        name: "RSA-OAEP",
+        hash: i
+      }, s, n ? ["encrypt"] : ["decrypt"]);
+    a = t.toCryptoKey({
+      name: e.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+      hash: i
+    }, s, [n ? "verify" : "sign"]);
+  }
+  if (t.asymmetricKeyType === "ec") {
+    const c = (/* @__PURE__ */ new Map([
+      ["prime256v1", "P-256"],
+      ["secp384r1", "P-384"],
+      ["secp521r1", "P-521"]
+    ])).get(t.asymmetricKeyDetails?.namedCurve);
+    if (!c)
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    e === "ES256" && c === "P-256" && (a = t.toCryptoKey({
+      name: "ECDSA",
+      namedCurve: c
+    }, s, [n ? "verify" : "sign"])), e === "ES384" && c === "P-384" && (a = t.toCryptoKey({
+      name: "ECDSA",
+      namedCurve: c
+    }, s, [n ? "verify" : "sign"])), e === "ES512" && c === "P-521" && (a = t.toCryptoKey({
+      name: "ECDSA",
+      namedCurve: c
+    }, s, [n ? "verify" : "sign"])), e.startsWith("ECDH-ES") && (a = t.toCryptoKey({
+      name: "ECDH",
+      namedCurve: c
+    }, s, n ? [] : ["deriveBits"]));
+  }
+  if (!a)
+    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+  return r ? r[e] = a : T.set(t, { [e]: a }), a;
+};
+async function xe(t, e) {
+  if (t instanceof Uint8Array || se(t))
+    return t;
+  if (ae(t)) {
+    if (t.type === "secret")
+      return t.export();
+    if ("toCryptoKey" in t && typeof t.toCryptoKey == "function")
+      try {
+        return Ue(t, e);
+      } catch (n) {
+        if (n instanceof TypeError)
+          throw n;
+      }
+    let r = t.export({ format: "jwk" });
+    return B(t, r, e);
+  }
+  if (L(t))
+    return t.k ? C(t.k) : B(t, t, e, !0);
+  throw new Error("unreachable");
+}
+const K = (t) => t?.[Symbol.toStringTag], O = (t, e, r) => {
+  if (e.use !== void 0) {
+    let n;
+    switch (r) {
+      case "sign":
+      case "verify":
+        n = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
+        n = "enc";
+        break;
+    }
+    if (e.use !== n)
+      throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`);
+  }
+  if (e.alg !== void 0 && e.alg !== t)
+    throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);
+  if (Array.isArray(e.key_ops)) {
+    let n;
+    switch (!0) {
+      case r === "verify":
+      case t === "dir":
+      case t.includes("CBC-HS"):
+        n = r;
+        break;
+      case t.startsWith("PBES2"):
+        n = "deriveBits";
+        break;
+      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(t):
+        !t.includes("GCM") && t.endsWith("KW") ? n = "unwrapKey" : n = r;
+        break;
+      case r === "encrypt":
+        n = "wrapKey";
+        break;
+      case r === "decrypt":
+        n = t.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+        break;
+    }
+    if (n && e.key_ops?.includes?.(n) === !1)
+      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`);
+  }
+  return !0;
+}, De = (t, e, r) => {
+  if (!(e instanceof Uint8Array)) {
+    if (L(e)) {
+      if (Je(e) && O(t, e, r))
+        return;
+      throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
+    }
+    if (!ie(e))
+      throw new TypeError(ne(t, e, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+    if (e.type !== "secret")
+      throw new TypeError(`${K(e)} instances for symmetric algorithms must be of type "secret"`);
+  }
+}, Oe = (t, e, r) => {
+  if (L(e))
+    switch (r) {
+      case "decrypt":
+      case "sign":
+        if (ke(e) && O(t, e, r))
+          return;
+        throw new TypeError("JSON Web Key for this operation must be a private JWK");
+      case "encrypt":
+      case "verify":
+        if (Ie(e) && O(t, e, r))
+          return;
+        throw new TypeError("JSON Web Key for this operation must be a public JWK");
+    }
+  if (!ie(e))
+    throw new TypeError(ne(t, e, "CryptoKey", "KeyObject", "JSON Web Key"));
+  if (e.type === "secret")
+    throw new TypeError(`${K(e)} instances for asymmetric algorithms must not be of type "secret"`);
+  if (e.type === "public")
+    switch (r) {
+      case "sign":
+        throw new TypeError(`${K(e)} instances for asymmetric algorithm signing must be of type "private"`);
+      case "decrypt":
+        throw new TypeError(`${K(e)} instances for asymmetric algorithm decryption must be of type "private"`);
+    }
+  if (e.type === "private")
+    switch (r) {
+      case "verify":
+        throw new TypeError(`${K(e)} instances for asymmetric algorithm verifying must be of type "public"`);
+      case "encrypt":
+        throw new TypeError(`${K(e)} instances for asymmetric algorithm encryption must be of type "public"`);
+    }
+};
+function Me(t, e, r) {
+  switch (t.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      De(t, e, r);
+      break;
+    default:
+      Oe(t, e, r);
+  }
+}
+function He(t, e) {
+  const r = `SHA-${t.slice(-3)}`;
+  switch (t) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash: r, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash: r, name: "RSA-PSS", saltLength: parseInt(t.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash: r, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash: r, name: "ECDSA", namedCurve: e.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: t };
+    default:
+      throw new w(`alg ${t} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function Ne(t, e, r) {
+  if (e instanceof Uint8Array) {
+    if (!t.startsWith("HS"))
+      throw new TypeError(Te(e, "CryptoKey", "KeyObject", "JSON Web Key"));
+    return crypto.subtle.importKey("raw", e, { hash: `SHA-${t.slice(-3)}`, name: "HMAC" }, !1, [r]);
+  }
+  return Ke(e, t, r), e;
+}
+async function $e(t, e, r, n) {
+  const s = await Ne(t, e, "verify");
+  _e(t, s);
+  const a = He(t, s.algorithm);
+  try {
+    return await crypto.subtle.verify(a, s, r, n);
+  } catch {
+    return !1;
+  }
+}
+async function Le(t, e, r) {
+  if (!E(t))
+    throw new f("Flattened JWS must be an object");
+  if (t.protected === void 0 && t.header === void 0)
+    throw new f('Flattened JWS must have either of the "protected" or "header" members');
+  if (t.protected !== void 0 && typeof t.protected != "string")
+    throw new f("JWS Protected Header incorrect type");
+  if (t.payload === void 0)
+    throw new f("JWS Payload missing");
+  if (typeof t.signature != "string")
+    throw new f("JWS Signature missing or incorrect type");
+  if (t.header !== void 0 && !E(t.header))
+    throw new f("JWS Unprotected Header incorrect type");
+  let n = {};
+  if (t.protected)
+    try {
+      const P = C(t.protected);
+      n = JSON.parse(_.decode(P));
+    } catch {
+      throw new f("JWS Protected Header is invalid");
+    }
+  if (!ve(n, t.header))
+    throw new f("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  const s = {
+    ...n,
+    ...t.header
+  }, a = We(f, /* @__PURE__ */ new Map([["b64", !0]]), r?.crit, n, s);
+  let i = !0;
+  if (a.has("b64") && (i = n.b64, typeof i != "boolean"))
+    throw new f('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+  const { alg: c } = s;
+  if (typeof c != "string" || !c)
+    throw new f('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  if (i) {
+    if (typeof t.payload != "string")
+      throw new f("JWS Payload must be a string");
+  } else if (typeof t.payload != "string" && !(t.payload instanceof Uint8Array))
+    throw new f("JWS Payload must be a string or an Uint8Array instance");
+  let u = !1;
+  typeof e == "function" && (e = await e(n, t), u = !0), Me(c, e, "verify");
+  const h = me(t.protected !== void 0 ? J(t.protected) : new Uint8Array(), J("."), typeof t.payload == "string" ? i ? J(t.payload) : G.encode(t.payload) : t.payload);
+  let o;
+  try {
+    o = C(t.signature);
+  } catch {
+    throw new f("Failed to base64url decode the signature");
+  }
+  const d = await xe(e, c);
+  if (!await $e(c, d, o, h))
+    throw new be();
+  let b;
+  if (i)
+    try {
+      b = C(t.payload);
+    } catch {
+      throw new f("Failed to base64url decode the payload");
+    }
+  else typeof t.payload == "string" ? b = G.encode(t.payload) : b = t.payload;
+  const p = { payload: b };
+  return t.protected !== void 0 && (p.protectedHeader = n), t.header !== void 0 && (p.unprotectedHeader = t.header), u ? { ...p, key: d } : p;
+}
+async function Fe(t, e, r) {
+  if (t instanceof Uint8Array && (t = _.decode(t)), typeof t != "string")
+    throw new f("Compact JWS must be a string or Uint8Array");
+  const { 0: n, 1: s, 2: a, length: i } = t.split(".");
+  if (i !== 3)
+    throw new f("Invalid Compact JWS");
+  const c = await Le({ payload: s, protected: n, signature: a }, e, r), u = { payload: c.payload, protectedHeader: c.protectedHeader };
+  return typeof e == "function" ? { ...u, key: c.key } : u;
+}
+const Ve = (t) => Math.floor(t.getTime() / 1e3), oe = 60, ce = oe * 60, F = ce * 24, Ge = F * 7, ze = F * 365.25, Be = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function q(t) {
+  const e = Be.exec(t);
+  if (!e || e[4] && e[1])
+    throw new TypeError("Invalid time period format");
+  const r = parseFloat(e[2]), n = e[3].toLowerCase();
+  let s;
+  switch (n) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      s = Math.round(r);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      s = Math.round(r * oe);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      s = Math.round(r * ce);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      s = Math.round(r * F);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      s = Math.round(r * Ge);
+      break;
+    default:
+      s = Math.round(r * ze);
+      break;
+  }
+  return e[1] === "-" || e[4] === "ago" ? -s : s;
+}
+const Y = (t) => t.includes("/") ? t.toLowerCase() : `application/${t.toLowerCase()}`, qe = (t, e) => typeof t == "string" ? e.includes(t) : Array.isArray(t) ? e.some(Set.prototype.has.bind(new Set(t))) : !1;
+function Ye(t, e, r = {}) {
+  let n;
+  try {
+    n = JSON.parse(_.decode(e));
+  } catch {
+  }
+  if (!E(n))
+    throw new j("JWT Claims Set must be a top-level JSON object");
+  const { typ: s } = r;
+  if (s && (typeof t.typ != "string" || Y(t.typ) !== Y(s)))
+    throw new y('unexpected "typ" JWT header value', n, "typ", "check_failed");
+  const { requiredClaims: a = [], issuer: i, subject: c, audience: u, maxTokenAge: h } = r, o = [...a];
+  h !== void 0 && o.push("iat"), u !== void 0 && o.push("aud"), c !== void 0 && o.push("sub"), i !== void 0 && o.push("iss");
+  for (const p of new Set(o.reverse()))
+    if (!(p in n))
+      throw new y(`missing required "${p}" claim`, n, p, "missing");
+  if (i && !(Array.isArray(i) ? i : [i]).includes(n.iss))
+    throw new y('unexpected "iss" claim value', n, "iss", "check_failed");
+  if (c && n.sub !== c)
+    throw new y('unexpected "sub" claim value', n, "sub", "check_failed");
+  if (u && !qe(n.aud, typeof u == "string" ? [u] : u))
+    throw new y('unexpected "aud" claim value', n, "aud", "check_failed");
+  let d;
+  switch (typeof r.clockTolerance) {
+    case "string":
+      d = q(r.clockTolerance);
+      break;
+    case "number":
+      d = r.clockTolerance;
+      break;
+    case "undefined":
+      d = 0;
+      break;
+    default:
+      throw new TypeError("Invalid clockTolerance option type");
+  }
+  const { currentDate: V } = r, b = Ve(V || /* @__PURE__ */ new Date());
+  if ((n.iat !== void 0 || h) && typeof n.iat != "number")
+    throw new y('"iat" claim must be a number', n, "iat", "invalid");
+  if (n.nbf !== void 0) {
+    if (typeof n.nbf != "number")
+      throw new y('"nbf" claim must be a number', n, "nbf", "invalid");
+    if (n.nbf > b + d)
+      throw new y('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
+  }
+  if (n.exp !== void 0) {
+    if (typeof n.exp != "number")
+      throw new y('"exp" claim must be a number', n, "exp", "invalid");
+    if (n.exp <= b - d)
+      throw new z('"exp" claim timestamp check failed', n, "exp", "check_failed");
+  }
+  if (h) {
+    const p = b - n.iat, P = typeof h == "number" ? h : q(h);
+    if (p - d > P)
+      throw new z('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
+    if (p < 0 - d)
+      throw new y('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
+  }
+  return n;
+}
+async function Xe(t, e, r) {
+  const n = await Fe(t, e, r);
+  if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === !1)
+    throw new j("JWTs MUST NOT use unencoded payload");
+  const a = { payload: Ye(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
+  return typeof e == "function" ? { ...a, key: n.key } : a;
+}
+function Qe(t) {
+  switch (typeof t == "string" && t.slice(0, 2)) {
+    case "RS":
+    case "PS":
+      return "RSA";
+    case "ES":
+      return "EC";
+    case "Ed":
+      return "OKP";
+    case "ML":
+      return "AKP";
+    default:
+      throw new w('Unsupported "alg" value for a JSON Web Key Set');
+  }
+}
+function Ze(t) {
+  return t && typeof t == "object" && Array.isArray(t.keys) && t.keys.every(je);
+}
+function je(t) {
+  return E(t);
+}
+class et {
+  #r;
+  #i = /* @__PURE__ */ new WeakMap();
+  constructor(e) {
+    if (!Ze(e))
+      throw new ee("JSON Web Key Set malformed");
+    this.#r = structuredClone(e);
+  }
+  jwks() {
+    return this.#r;
+  }
+  async getKey(e, r) {
+    const { alg: n, kid: s } = { ...e, ...r?.header }, a = Qe(n), i = this.#r.keys.filter((h) => {
+      let o = a === h.kty;
+      if (o && typeof s == "string" && (o = s === h.kid), o && (typeof h.alg == "string" || a === "AKP") && (o = n === h.alg), o && typeof h.use == "string" && (o = h.use === "sig"), o && Array.isArray(h.key_ops) && (o = h.key_ops.includes("verify")), o)
+        switch (n) {
+          case "ES256":
+            o = h.crv === "P-256";
+            break;
+          case "ES384":
+            o = h.crv === "P-384";
+            break;
+          case "ES512":
+            o = h.crv === "P-521";
+            break;
+          case "Ed25519":
+          case "EdDSA":
+            o = h.crv === "Ed25519";
+            break;
+        }
+      return o;
+    }), { 0: c, length: u } = i;
+    if (u === 0)
+      throw new te();
+    if (u !== 1) {
+      const h = new Se(), o = this.#i;
+      throw h[Symbol.asyncIterator] = async function* () {
+        for (const d of i)
+          try {
+            yield await X(o, d, n);
+          } catch {
+          }
+      }, h;
+    }
+    return X(this.#i, c, n);
+  }
+}
+async function X(t, e, r) {
+  const n = t.get(e) || t.set(e, {}).get(e);
+  if (n[r] === void 0) {
+    const s = await Pe({ ...e, ext: !0 }, r);
+    if (s instanceof Uint8Array || s.type !== "public")
+      throw new ee("JSON Web Key Set members must be public keys");
+    n[r] = s;
+  }
+  return n[r];
+}
+function Q(t) {
+  const e = new et(t), r = async (n, s) => e.getKey(n, s);
+  return Object.defineProperties(r, {
+    jwks: {
+      value: () => structuredClone(e.jwks()),
+      enumerable: !1,
+      configurable: !1,
+      writable: !1
+    }
+  }), r;
+}
+function tt() {
+  return typeof WebSocketPair < "u" || typeof navigator < "u" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime < "u" && EdgeRuntime === "vercel";
+}
+let M;
+(typeof navigator > "u" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) && (M = "jose/v6.1.3");
+const rt = /* @__PURE__ */ Symbol();
+async function nt(t, e, r, n = fetch) {
+  const s = await n(t, {
+    method: "GET",
+    signal: r,
+    redirect: "manual",
+    headers: e
+  }).catch((a) => {
+    throw a.name === "TimeoutError" ? new ge() : a;
+  });
+  if (s.status !== 200)
+    throw new l("Expected 200 OK from the JSON Web Key Set HTTP response");
+  try {
+    return await s.json();
+  } catch {
+    throw new l("Failed to parse the JSON Web Key Set HTTP response as JSON");
+  }
+}
+const x = /* @__PURE__ */ Symbol();
+function st(t, e) {
+  return !(typeof t != "object" || t === null || !("uat" in t) || typeof t.uat != "number" || Date.now() - t.uat >= e || !("jwks" in t) || !E(t.jwks) || !Array.isArray(t.jwks.keys) || !Array.prototype.every.call(t.jwks.keys, E));
+}
+class at {
+  #r;
+  #i;
+  #c;
+  #o;
+  #n;
+  #e;
+  #t;
+  #h;
+  #s;
+  #a;
+  constructor(e, r) {
+    if (!(e instanceof URL))
+      throw new TypeError("url must be an instance of URL");
+    this.#r = new URL(e.href), this.#i = typeof r?.timeoutDuration == "number" ? r?.timeoutDuration : 5e3, this.#c = typeof r?.cooldownDuration == "number" ? r?.cooldownDuration : 3e4, this.#o = typeof r?.cacheMaxAge == "number" ? r?.cacheMaxAge : 6e5, this.#t = new Headers(r?.headers), M && !this.#t.has("User-Agent") && this.#t.set("User-Agent", M), this.#t.has("accept") || (this.#t.set("accept", "application/json"), this.#t.append("accept", "application/jwk-set+json")), this.#h = r?.[rt], r?.[x] !== void 0 && (this.#a = r?.[x], st(r?.[x], this.#o) && (this.#n = this.#a.uat, this.#s = Q(this.#a.jwks)));
+  }
+  pendingFetch() {
+    return !!this.#e;
+  }
+  coolingDown() {
+    return typeof this.#n == "number" ? Date.now() < this.#n + this.#c : !1;
+  }
+  fresh() {
+    return typeof this.#n == "number" ? Date.now() < this.#n + this.#o : !1;
+  }
+  jwks() {
+    return this.#s?.jwks();
+  }
+  async getKey(e, r) {
+    (!this.#s || !this.fresh()) && await this.reload();
+    try {
+      return await this.#s(e, r);
+    } catch (n) {
+      if (n instanceof te && this.coolingDown() === !1)
+        return await this.reload(), this.#s(e, r);
+      throw n;
+    }
+  }
+  async reload() {
+    this.#e && tt() && (this.#e = void 0), this.#e ||= nt(this.#r.href, this.#t, AbortSignal.timeout(this.#i), this.#h).then((e) => {
+      this.#s = Q(e), this.#a && (this.#a.uat = Date.now(), this.#a.jwks = e), this.#n = Date.now(), this.#e = void 0;
+    }).catch((e) => {
+      throw this.#e = void 0, e;
+    }), await this.#e;
+  }
+}
+function it(t, e) {
+  const r = new at(t, e), n = async (s, a) => r.getKey(s, a);
+  return Object.defineProperties(n, {
+    coolingDown: {
+      get: () => r.coolingDown(),
+      enumerable: !0,
+      configurable: !1
+    },
+    fresh: {
+      get: () => r.fresh(),
+      enumerable: !0,
+      configurable: !1
+    },
+    reload: {
+      value: () => r.reload(),
+      enumerable: !0,
+      configurable: !1,
+      writable: !1
+    },
+    reloading: {
+      get: () => r.pendingFetch(),
+      enumerable: !0,
+      configurable: !1
+    },
+    jwks: {
+      value: () => r.jwks(),
+      enumerable: !0,
+      configurable: !1,
+      writable: !1
+    }
+  }), n;
+}
+class ot {
+  jwksUrl;
+  JWKS;
+  constructor(e) {
+    this.jwksUrl = e, this.JWKS = it(new URL(this.jwksUrl));
+  }
+  /**
+   * Verify a JWT against the JWKS
+   */
+  async verify(e) {
+    return Xe(e, this.JWKS);
+  }
+}
+class ct {
   store = /* @__PURE__ */ new Map();
   async get(e) {
     return this.store.get(e) ?? null;
   }
-  async set(e, t) {
-    this.store.set(e, t);
+  async set(e, r) {
+    this.store.set(e, r);
   }
   async remove(e) {
     this.store.delete(e);
@@ -314,7 +1360,7 @@ class E {
     this.store.clear();
   }
 }
-class T {
+class Z {
   prefix;
   constructor(e = "genation") {
     this.prefix = e;
@@ -325,8 +1371,8 @@ class T {
   async get(e) {
     return typeof window > "u" ? null : localStorage.getItem(this.getKey(e));
   }
-  async set(e, t) {
-    typeof window > "u" || localStorage.setItem(this.getKey(e), t);
+  async set(e, r) {
+    typeof window > "u" || localStorage.setItem(this.getKey(e), r);
   }
   async remove(e) {
     typeof window > "u" || localStorage.removeItem(this.getKey(e));
@@ -334,11 +1380,11 @@ class T {
   async clear() {
     if (typeof window > "u") return;
     Object.keys(localStorage).filter(
-      (t) => t.startsWith(`${this.prefix}:`)
-    ).forEach((t) => localStorage.removeItem(t));
+      (r) => r.startsWith(`${this.prefix}:`)
+    ).forEach((r) => localStorage.removeItem(r));
   }
 }
-class A {
+class ht {
   prefix;
   constructor(e = "genation") {
     this.prefix = e;
@@ -349,8 +1395,8 @@ class A {
   async get(e) {
     return typeof window > "u" ? null : sessionStorage.getItem(this.getKey(e));
   }
-  async set(e, t) {
-    typeof window > "u" || sessionStorage.setItem(this.getKey(e), t);
+  async set(e, r) {
+    typeof window > "u" || sessionStorage.setItem(this.getKey(e), r);
   }
   async remove(e) {
     typeof window > "u" || sessionStorage.removeItem(this.getKey(e));
@@ -358,62 +1404,65 @@ class A {
   async clear() {
     if (typeof window > "u") return;
     Object.keys(sessionStorage).filter(
-      (t) => t.startsWith(`${this.prefix}:`)
-    ).forEach((t) => sessionStorage.removeItem(t));
+      (r) => r.startsWith(`${this.prefix}:`)
+    ).forEach((r) => sessionStorage.removeItem(r));
   }
 }
-function M(r = "localStorage") {
-  switch (r) {
+function ut(t = "localStorage") {
+  switch (t) {
     case "memory":
-      return new E();
+      return new ct();
     case "localStorage":
-      return new T();
+      return new Z();
     case "sessionStorage":
-      return new A();
+      return new ht();
     default:
-      return new T();
+      return new Z();
   }
 }
-function w(r) {
-  return Array.isArray(r) ? r.map(w) : typeof r == "object" && r !== null ? Object.fromEntries(
-    Object.entries(r).map(([e, t]) => [
-      e.replace(/_([a-z])/g, (s, n) => n.toUpperCase()),
-      w(t)
+function H(t) {
+  return Array.isArray(t) ? t.map(H) : typeof t == "object" && t !== null ? Object.fromEntries(
+    Object.entries(t).map(([e, r]) => [
+      e.replace(/_([a-z])/g, (n, s) => s.toUpperCase()),
+      H(r)
     ])
-  ) : r;
+  ) : t;
 }
-class K {
+class ft {
   oauth;
   tokenManager;
+  tokenVerifier;
   http;
   httpServer;
   listeners = /* @__PURE__ */ new Set();
   initialized = !1;
   constructor(e) {
     this.validateConfig(e);
-    const t = typeof e.storage == "object" ? e.storage : M(e.storage);
-    this.tokenManager = new I(t), this.oauth = new x(e, this.tokenManager), this.http = new p({
-      baseUrl: e.authUrl ?? "https://mnnoheowoowbtpuoguul.supabase.co/auth/v1"
-    }), this.httpServer = new p({
+    const r = typeof e.storage == "object" ? e.storage : ut(e.storage), n = e.authUrl ?? "https://mnnoheowoowbtpuoguul.supabase.co/auth/v1";
+    this.tokenManager = new le(r), this.oauth = new ye(e, this.tokenManager), this.tokenVerifier = new ot(
+      `${n}/.well-known/jwks.json`
+    ), this.http = new D({
+      baseUrl: n
+    }), this.httpServer = new D({
       baseUrl: "https://ff-api.genation.ai/api/v2/client"
     });
   }
   validateConfig(e) {
-    if (!e.clientId) throw u.missingField("clientId");
+    if (!e.clientId) throw v.missingField("clientId");
     if (!e.clientSecret)
-      throw u.missingField("clientSecret");
-    if (!e.redirectUri) throw u.missingField("redirectUri");
+      throw v.missingField("clientSecret");
+    if (!e.redirectUri) throw v.missingField("redirectUri");
   }
   /**
    * Emit auth state change event to all listeners
    */
   async emitAuthStateChange(e) {
-    const t = await this.getSession();
-    this.listeners.forEach((s) => {
+    const r = await this.getSession();
+    this.listeners.forEach((n) => {
       try {
-        s(e, t);
-      } catch (n) {
-        console.error("Error in auth state change callback:", n);
+        n(e, r);
+      } catch (s) {
+        console.error("Error in auth state change callback:", s);
       }
     });
   }
@@ -507,30 +1556,29 @@ class K {
    * ```
    */
   async handleCallback(e) {
-    const t = new URL(e), s = t.searchParams.get("code"), n = t.searchParams.get("state");
-    if (!s || !n)
+    const r = new URL(e), n = r.searchParams.get("code"), s = r.searchParams.get("state");
+    if (!n || !s)
       throw new Error("Missing code or state");
-    const i = await this.oauth.exchangeCode(s, n);
-    return await this.emitAuthStateChange("SIGNED_IN"), i;
-  }
-  // /**
-  //  * Sign out and revoke tokens
-  //  *
-  //  * Clears local session and revokes tokens on server.
-  //  * Triggers `SIGNED_OUT` event for all listeners.
-  //  *
-  //  * @example
-  //  * ```typescript
-  //  * async function handleLogout() {
-  //  *   await client.signOut();
-  //  *   // onAuthStateChange will fire with SIGNED_OUT event
-  //  * }
-  //  * ```
-  //  */
-  // async signOut(): Promise<void> {
-  //     await this.oauth.revokeToken();
-  //     await this.emitAuthStateChange("SIGNED_OUT");
-  // }
+    const a = await this.oauth.exchangeCode(n, s);
+    return await this.emitAuthStateChange("SIGNED_IN"), a;
+  }
+  /**
+   * Sign out and revoke tokens
+   *
+   * Clears local session.
+   * Triggers `SIGNED_OUT` event for all listeners.
+   *
+   * @example
+   * ```typescript
+   * async function handleLogout() {
+   *   await client.signOut();
+   *   // onAuthStateChange will fire with SIGNED_OUT event
+   * }
+   * ```
+   */
+  async signOut() {
+    await this.tokenManager.clearTokens(), await this.emitAuthStateChange("SIGNED_OUT");
+  }
   /**
    * Get current session
    *
@@ -559,17 +1607,30 @@ class K {
       } catch {
         return null;
       }
-    const t = await this.tokenManager.getTokens();
-    if (!t) return null;
-    const s = await this.fetchUser(t.accessToken);
+    const r = await this.tokenManager.getTokens();
+    if (!r) return null;
+    const n = await this.fetchUser(r.accessToken);
     return {
-      accessToken: t.accessToken,
-      refreshToken: t.refreshToken,
-      expiresIn: t.expiresIn,
-      expiresAt: t.issuedAt + t.expiresIn * 1e3,
-      user: s
+      accessToken: r.accessToken,
+      refreshToken: r.refreshToken,
+      expiresIn: r.expiresIn,
+      expiresAt: r.issuedAt + r.expiresIn * 1e3,
+      user: n
     };
   }
+  /**
+   * Verify a JWT token
+   *
+   * Validates the token signature using the public JWKS.
+   *
+   * @param token - JWT token to verify
+   * @returns Decoded token payload if valid
+   * @throws Error if token is invalid
+   */
+  async verifyToken(e) {
+    const { payload: r } = await this.tokenVerifier.verify(e);
+    return r;
+  }
   /**
    * Get licenses
    * @param accessToken - The access token to use for the request
@@ -578,50 +1639,50 @@ class K {
    * @returns The licenses
    */
   async getLicenses(e = {}) {
-    const t = await this.getSession();
-    if (!t)
+    const r = await this.getSession();
+    if (!r)
       return null;
-    const s = t.accessToken, { expiresAfter: n = /* @__PURE__ */ new Date() } = e, i = await this.httpServer.request("/licenses", {
-      headers: { Authorization: `Bearer ${s}` },
-      params: { expiresAfter: n.toISOString() }
+    const n = r.accessToken, { expiresAfter: s = /* @__PURE__ */ new Date() } = e, a = await this.httpServer.request("/licenses", {
+      headers: { Authorization: `Bearer ${n}` },
+      params: { expiresAfter: s.toISOString() }
     });
-    return i.ok ? w(i.data) : (console.error("GenationClient: Error fetching licenses:", i.error), null);
+    return a.ok ? H(a.data) : (console.error("GenationClient: Error fetching licenses:", a.error), null);
   }
   /**
    * Fetch user info from auth server
    */
   async fetchUser(e) {
     try {
-      const t = await this.http.request("/oauth/userinfo", {
+      const r = await this.http.request("/oauth/userinfo", {
         headers: { Authorization: `Bearer ${e}` }
       });
       return {
-        sub: t.sub,
-        name: t.name,
-        picture: t.picture,
-        email: t.email,
-        email_verified: t.email_verified,
-        phone_number: t.phone_number,
-        phone_number_verified: t.phone_number_verified
+        sub: r.sub,
+        name: r.name,
+        picture: r.picture,
+        email: r.email,
+        email_verified: r.email_verified,
+        phone_number: r.phone_number,
+        phone_number_verified: r.phone_number_verified
       };
-    } catch (t) {
-      return console.error("GenationClient: Error fetching user:", t), null;
+    } catch (r) {
+      return console.error("GenationClient: Error fetching user:", r), null;
     }
   }
 }
-function $(r) {
-  return new K(r);
+function dt(t) {
+  return new ft(t);
 }
 export {
-  l as AuthError,
-  u as ConfigError,
-  K as GenationClient,
-  m as GenationError,
-  T as LocalStorage,
-  E as MemoryStorage,
-  h as NetworkError,
-  A as SessionStorage,
-  $ as createClient,
-  M as createStorage
+  g as AuthError,
+  v as ConfigError,
+  ft as GenationClient,
+  N as GenationError,
+  Z as LocalStorage,
+  ct as MemoryStorage,
+  S as NetworkError,
+  ht as SessionStorage,
+  dt as createClient,
+  ut as createStorage
 };
 //# sourceMappingURL=genation.es.js.map